CVE-2024-47575
Published: 23 October 2024
Summary
CVE-2024-47575 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fortinet Fortimanager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2024-47575 is a missing authentication for critical function vulnerability (CWE-306) affecting FortiManager 7.6.0, 7.4.0-7.4.4, 7.2.0-7.2.7, 7.0.0-7.0.12, 6.4.0-6.4.14, and 6.2.0-6.2.12, along with FortiManager Cloud 7.4.1-7.4.4, 7.2.1-7.2.7, 7.0.1-7.0.12, and 6.4.1-6.4.7. It carries a CVSS 3.1 score of 9.8 and allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests.
An attacker with network access can exploit the flaw without credentials or user interaction to run arbitrary commands on the FortiManager instance, resulting in full compromise of the management platform and any connected devices under its control.
Fortinet's advisory FG-IR-24-423 addresses the issue, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog. The EPSS score is currently 0.9387 with a peak of 0.9393.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42531
Vulnerability details
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7,…
more
FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.
- CWE(s)
- KEV Date Added
- 23 October 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and access policy on critical FortiManager functions so that specially crafted requests cannot succeed without credentials.
Requires unique identification and authentication of every user (or process) before any management-plane action is permitted, eliminating the unauthenticated code-execution path.
Mandates authenticated, authorized, and monitored remote access to the FortiManager appliance, blocking the network-based unauthenticated exploitation described in the CVE.