CVE-2024-47575 - FortiManager Authentication Bypass
CVE-2024-47575, also known as **FortiJump**, is a critical zero-day vulnerability affecting **FortiManager**, a centralized management platform for Fortinet devices. The vulnerability arises due to missing authentication checks in specific FortiManager REST API endpoints. An unauthenticated attacker with network access to the FortiManager device can exploit this flaw to execute arbitrary code or commands, potentially leading to complete system compromise. --- ## Affected Versions | FortiManager Version | Status | |------------------------|--------------------| | **7.2.0 to 7.2.3** | Affected | | **7.0.0 to 7.0.7** | Affected | | **6.4.0 to 6.4.11** | Affected | | **6.2.x and earlier** | Potentially Affected | | **7.2.4 and above** | **Patched** | | **7.0.8 and above** | **Patched** | | **6.4.12 and above** | **Patched** | *Note:* Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer): config system global set fmg-status enable end And at least one interface with the fgfm service enabled is also impacted by this vulnerability. --- ## Playbook Flow 1. Create, Tag, and Block Indicators 2. Hunt **Automatically** for Suspicious Behavior Related to the exploitation flow using XQL **Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries completion.** 3. Provide Mitigations and Workarounds --- **References**: - [Fortinet PSIRT Advisory FG-IR-24-423](https://www.fortiguard.com/psirt/FG-IR-24-423) --- By following this playbook, organizations can effectively respond to and mitigate the risks associated with **CVE-2024-47575 (FortiJump)**.
CVE-2024-47575 - FortiManager Authentication Bypass · 14 tasks · 1 input · 0 outputs
Inputs
rawIoCs— FortiGuard Labs IoCs
Commands used
createNewIndicator
extractIndicators
xdr-xql-generic-query