Demo of the CyCognito PlatformSee the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. More...
State of External Exposure Management, Summer 2024 EditionDownload the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. More...
The Total Economic Impact™ of The CyCognito PlatformRead The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. More...
CVE-2024-47575, also known as FortiJump, is a critical (9.8) missing authentication vulnerability affecting critical functions in FortiManager and FortiManager Cloud versions. Threat researcher Kevin Beaumont published a blog post on October 22nd, 2024 identifying this vulnerability as a zero day. This vulnerability is separate from CVE-2024-23113, which also affects FortiGate devices.
FortiJump affects the FortiGate to FortiManager (FGFM) protocol, which is used throughout FortiGate and FortiManager deployments to manage FortiGate firewalls, including creating groups, adding devices, installing policy packages, and managing device settings.
A Shodan search reveals approximately 60,000 FGFM assets are externally exposed worldwide, indicating a significant potential scale of exploitation.
This vulnerability affects the FortiManager versions below:
Fortinet also disclosed that FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with a specific feature enabled are vulnerable.
FortiManager Cloud 7.6 is not affected by FortiJump.
This flaw takes advantage of several lax security standards in FortiManager, including an issue where FGFM allows unauthorized and unknown devices to register with no authentication. All that is required is a valid certificate, but attackers can reuse certificates from any FortiGate box.
Once registered, attackers can execute arbitrary code or commands, potentially escalating to remote code execution (RCE) or taking over the management of FortiGate firewalls.
This vulnerability poses significant risks because it enables attackers to both enter downstream connections – moving from FortiManager to internal networks – but also move upstream, leveraging a compromised FortiGate firewall to jump upwards to the FortiManager connected to it, as well as any other internal networks connected to that FortiManager instance.
Fortinet has released patches for some affected versions and suggests migration to a fixed release for others:
Because FortiManager Cloud 7.6 is not affected by FortiJump, no action is required.
Disabling FGFM using the setting fgfm-deny-unknown will prevent unknown devices from registering with FortiManager. Users can also prevent FGFM from presenting to the internet, although this removes its core functionality.
Fortinet has also released a list of potential workarounds.
Researchers report that FortiJump is being actively exploited, although no proof-of-concept (PoC) has been released yet.
Fortinet has released a list of potential IOCs, including log entries, IP addresses, serial numbers, and files. However, they note that in the case of the log entries, the entries below may continue being logged even after devices are updated, as the fixes prevent unauthorized devices from sending exploit commands, not from being added in the first place. If a fix has been successfully implemented, these logs instead indicate a failed attempt at compromise. Fortinet also notes that file IoCs may not appear in all cases.
CyCognito is actively researching an active detection method for this vulnerability. As of October 28th, users can check if their assets are potentially vulnerable using provided filters and lists in the CyCognito platform. All customers also have access to an in-platform emerging threat announcement.
Figure 1: The alert sent by CyCognito for these issues.
CyCognito is an exposure management platform that reduces risk by discovering, testing, and prioritizing security issues. The platform scans billions of websites, cloud applications, and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure.
Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. Based in Palo Alto, CyCognito serves a number of large enterprises and Fortune 500 organizations, including Colgate-Palmolive, Tesco and many others.
For more information, follow us on Twitter @cycognito.
Privacy Policy Terms of Service Sitemap