H-ISAC TLP White Threat Bulletin: Update: Fortinet Notifies Customers about an Exploited 0-Day Flaw in FortiManager

Update: 

On October 23, Fortinet published an advisory for the critical vulnerability in the FortiManager fgfmd daemon. The flaw, tracked as CVE-2024-47575, is being actively exploited. Its CVSS score of 9.8 highlights its criticality.

The vulnerability is related to the FortiGate to FortiManager (FGFM) protocol, allowing remote unauthenticated attackers to execute arbitrary code or commands. According to the advisory, identified attacks in the wild used scripts to automate the exfiltration of sensitive data, such as files located on FortiManager, which included IPs, credentials, and configurations of the managed devices. Currently, no evidence suggests the flaw has been used to deploy malware or backdoors.

Furthermore, Fortinet warns that restoring a backup from a compromised system may reintroduce tampered data. The FortiGate’s activity log should be verified to check for unauthorized access since data may have been exfiltrated. Passwords and sensitive data of managed devices should be changed urgently. To recover from a compromised FortiManager instance, keep a copy in an isolated network and compare it with the new setup. It is recommended to use offline and closed-network modes for operation.

Recommendations:

  • Apply available patches issued by Fortinet.
  • Check your system for IoCs from the advisory and verify the activity log to ensure no compromise has happened.
  • Change all passwords on the affected devices.
  • Segment your networks to minimize the risk of lateral movement.
  • Enforce network segmentation and strict network access control policies.
  • Implement MFA and limit account privileges.
  • Continuously monitor for suspicious activities.
  • Have an incident response plan ready to limit operational disruptions in the event of a successful attack.

Review the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients resources.

View additional details below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272