CVE-2024-47575 - FortiManager Authentication Bypass

CVE-2024-47575, also known as **FortiJump**, is a critical zero-day vulnerability affecting **FortiManager**, a centralized management platform for Fortinet devices. The vulnerability arises due to missing authentication checks in specific FortiManager REST API endpoints. An unauthenticated attacker with network access to the FortiManager device can exploit this flaw to execute arbitrary code or commands, potentially leading to complete system compromise. --- ## Affected Versions | FortiManager Version | Status | |------------------------|--------------------| | **7.2.0 to 7.2.3** | Affected | | **7.0.0 to 7.0.7** | Affected | | **6.4.0 to 6.4.11** | Affected | | **6.2.x and earlier** | Potentially Affected | | **7.2.4 and above** | **Patched** | | **7.0.8 and above** | **Patched** | | **6.4.12 and above** | **Patched** | *Note:* Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer): config system global set fmg-status enable end And at least one interface with the fgfm service enabled is also impacted by this vulnerability. --- ## Playbook Flow 1. Create, Tag, and Block Indicators 2. Hunt **Automatically** for Suspicious Behavior Related to the exploitation flow using XQL **Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries completion.** 3. Provide Mitigations and Workarounds --- **References**: - [Fortinet PSIRT Advisory FG-IR-24-423](https://www.fortiguard.com/psirt/FG-IR-24-423) --- By following this playbook, organizations can effectively respond to and mitigate the risks associated with **CVE-2024-47575 (FortiJump)**.

CVE-2024-47575 - FortiManager Authentication Bypass · 14 tasks · 1 input · 0 outputs

Inputs

  • rawIoCs — FortiGuard Labs IoCs

Commands used

createNewIndicator extractIndicators xdr-xql-generic-query

Flowchart

yes Start Start Extract indicators from hardcoded input - extractIndicators Extract indicators from h... extractIndicators Create and Tag Indicators Create and Tag Indicators IP Indicators - createNewIndicator IP Indicators createNewIndicator CVE Indicators - createNewIndicator CVE Indicators createNewIndicator XQL Hunting Queries XQL Hunting Queries Unusual configuration changes - xdr-xql-generic-query Unusual configuration cha... xdr-xql-generic-query Known IOCs and post-exploitation artifacts - xdr-xql-generic-query Known IOCs and post-explo... xdr-xql-generic-query Email Indicators - createNewIndicator Email Indicators createNewIndicator Mitigations Mitigations Recommended Mitigations and Workarounds Recommended Mitigations a... Done Done Suspicious activity detected? Suspicious activity detec... Threat Hunting findings acknowledgement Threat Hunting findings a...