Overview of the FortiManager API Vulnerability Recently, a critical API vulnerability in FortiManager (CVE-2024-47575) was disclosed. Certain threat actors exploited it in the wild to steal sensitive information containing configurations, IP addresses, and credentials used by managed devices. In advanced notification emails, Fortinet warned its users of the vulnerability and mitigation steps. The vulnerability has a critical severity rating of 9.8 out of 10. This flaw could enable an attacker to execute arbitrary code or commands due to missing authentication in the fgfmd daemon. The FortiGate to FortiManager Protocol (FGFM) enables customers to deploy FortiGate firewall devices and register them with a remote FortiManager server, allowing centralized management of these devices from a single location. The FGFM API was vulnerable to authentication bypass, allowing unauthenticated attackers to execute commands, retrieve sensitive information, and compromise the environment. Mandiant observed that a new threat cluster tracked as UNC5820 exploited this vulnerability starting on June 27, 2024. The threat actor extracted configuration data from FortiGate devices managed by the exploited FortiManager. The data consists of configuration settings of the managed devices, sensitive information about the users, and their FortiOS256-hashed passwords. There is no evidence that the threat actor leveraged this vulnerability. Additionally, there is no evidence to prove that the threat…Read More
