Exploitation for Priv-Esc × Fortinet FortiManager

A publicly-reported instance of Exploitation for Priv-Esc bypassing Fortinet FortiManager, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Fortinet FortiManager

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-10-24

Config / version noted

Not stated

Provenance

cloud.google.com
disclosed 2024-10-24 · original source · via exa

Reported as

exploiting a missing authentication flaw to execute arbitrary code or commands

Mechanism

An unauthorized, attacker-controlled FortiManager device connects to a vulnerable FortiManager over TCP/541, exploiting a missing authentication flaw to execute arbitrary code or commands. This allows staging and exfiltration of configuration files containing FortiGate device configs, user hashes, and other sensitive data.

Detection & mitigation

Monitor FortiManager logs for unauthorized device registration events or unexpected connections on TCP/541 from unknown FortiManager serial numbers. Mitigation: Apply vendor patch for CVE-2024-47575, restrict TCP/541 access to trusted management IPs, and enforce strict device authentication policies.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.