On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution.
The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.
Fortinet had been privately emailing FortiManager customers with stop-gap mitigation advice since the 13th of October, however these communications were leaked via online forums including Reddit.
Reports have shown this vulnerability to be exploited in the wild.
Mitigations
For the critical vulnerability in the section above, Fortinet has released upgrade and patching advice for affected product versions as per the table below:
