FortiManager becomes the entry point into the most sensitive systems.
Fortinet has not disclosed information about the zero-day vulnerability for more than a week, despite reports that attackers are using it to execute malicious code on servers serving critical infrastructure.
The company has not yet provided public notices of the vulnerability and has not specified which software is affected. This is in line with Fortinet's previous practice of keeping silent about zero-day vulnerabilities that have previously been used to attack customers. In the absence of official data, users and experts have been discussing the problem on social networks since at least October 13.
According to information from Reddit, the vulnerability affects FortiManager, which is used to manage network devices. The following versions are considered vulnerable:
We recommend that you install updates to versions 7.6.1, 7.4.5, 7.2.8, 7.0.13, or 6.4.15. It is reported that the cloud version of FortiManager Cloud may also be subject to attack.
Some FortiGate-based network administrators have reported that they have received notifications with recommendations for upgrading. However, other users did not receive such notifications, and Fortinet itself did not issue a public warning and did not register the vulnerability in the CVE database, making it difficult to track the threat.
According to researcher Kevin Beaumont, the problem is related to the default settings in FortiManager, which allow you to register devices with unconfirmed serial numbers. A deleted comment on Reddit claimed that the bug allows attackers to steal a Fortigate certificate, register a device with FortiManager, and gain access to the network.
Beaumont explained that hackers register fake devices named "localhost" and use them to execute remote code on FortiManager. Such actions open access to the management of real devices, as well as to the synchronization of configurations and authorization data.
Another comment discussed that cybercriminals could steal authentication certificates and register their own device to infiltrate a managed network. This complicates protection, since even a device with a valid certificate can be used for an attack.
Beaumont also suggested that Chinese hackers could have exploited the vulnerability to penetrate corporate networks since the beginning of the year. More than 60,000 connections via Fortinet's FGFM protocol, which is required for communication between FortiGate and FortiManager, are available online, increasing risk.
The protocol allows attackers to use FortiGate certificates to enroll spoofed devices and then execute code on FortiManager. By controlling devices through FortiManager, attackers can modify configurations, extract passwords, and infiltrate end-user networks. Adding to the complexity are the problems accessing the Fortinet Support Portal, which may be due to the company's attempts to avoid any mention of the issues.
Source
Fortinet has not disclosed information about the zero-day vulnerability for more than a week, despite reports that attackers are using it to execute malicious code on servers serving critical infrastructure.
The company has not yet provided public notices of the vulnerability and has not specified which software is affected. This is in line with Fortinet's previous practice of keeping silent about zero-day vulnerabilities that have previously been used to attack customers. In the absence of official data, users and experts have been discussing the problem on social networks since at least October 13.
According to information from Reddit, the vulnerability affects FortiManager, which is used to manage network devices. The following versions are considered vulnerable:
- 7.6.0 and below;
- 7.4.4 and below;
- 7.2.7 and below;
- 7.0.12 and below;
- 6.4.14 and below.
We recommend that you install updates to versions 7.6.1, 7.4.5, 7.2.8, 7.0.13, or 6.4.15. It is reported that the cloud version of FortiManager Cloud may also be subject to attack.
Some FortiGate-based network administrators have reported that they have received notifications with recommendations for upgrading. However, other users did not receive such notifications, and Fortinet itself did not issue a public warning and did not register the vulnerability in the CVE database, making it difficult to track the threat.
According to researcher Kevin Beaumont, the problem is related to the default settings in FortiManager, which allow you to register devices with unconfirmed serial numbers. A deleted comment on Reddit claimed that the bug allows attackers to steal a Fortigate certificate, register a device with FortiManager, and gain access to the network.
Beaumont explained that hackers register fake devices named "localhost" and use them to execute remote code on FortiManager. Such actions open access to the management of real devices, as well as to the synchronization of configurations and authorization data.
Another comment discussed that cybercriminals could steal authentication certificates and register their own device to infiltrate a managed network. This complicates protection, since even a device with a valid certificate can be used for an attack.
Beaumont also suggested that Chinese hackers could have exploited the vulnerability to penetrate corporate networks since the beginning of the year. More than 60,000 connections via Fortinet's FGFM protocol, which is required for communication between FortiGate and FortiManager, are available online, increasing risk.
The protocol allows attackers to use FortiGate certificates to enroll spoofed devices and then execute code on FortiManager. By controlling devices through FortiManager, attackers can modify configurations, extract passwords, and infiltrate end-user networks. Adding to the complexity are the problems accessing the Fortinet Support Portal, which may be due to the company's attempts to avoid any mention of the issues.
Source
