Search
On this page ▾
CVE-2024-47575 — Fortinet FortiManager Missing Authentication Vulnerability

CVE-2024-47575

Fortinet FortiManager — "FortiJump" Pre-Auth RCE via fgfmd Daemon; UNC5820 (Chinese APT) Zero-Day
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Fortinet FortiManager?

Fortinet FortiManager is the centralized management platform for FortiGate firewall appliances — organizations use it to configure, update, and monitor multiple FortiGate devices from a single console. In large enterprise deployments, FortiManager has privileged access to all managed FortiGate configurations, VPN credentials, and network policies. Because FortiGate appliances are trusted security devices with broad network access, a compromised FortiManager represents a catastrophic security failure — an attacker can push malicious configurations to all managed FortiGate devices simultaneously.

Overview

CVE-2024-47575 — dubbed "FortiJump" by security researchers — is a missing authentication vulnerability (CWE-306) in the FortiManager fgfmd (Fortinet FortiGate Management) daemon that allows a remote unauthenticated attacker to execute arbitrary commands on the FortiManager server. The vulnerability was exploited as a zero-day by UNC5820 (Mandiant/Google's designation for a Chinese state-sponsored threat actor) before Fortinet released a patch. The same-day KEV listing (October 23, 2024) reflects confirmed active exploitation. FortiManager manages credentials and configurations for potentially thousands of FortiGate devices — UNC5820 used this access to exfiltrate managed device configurations and credentials.

Affected Versions

FortiManager Branch Vulnerable Fixed
7.6.x < 7.6.1 7.6.1
7.4.x < 7.4.5 7.4.5
7.2.x < 7.2.8 7.2.8
7.0.x < 7.0.13 7.0.13
6.4.x < 6.4.15 6.4.15
6.2.x ≤ 6.2.13 6.2.13

Also affects FortiManager Cloud: 7.4.1–7.4.4, 7.2.1–7.2.7, 7.0.1–7.0.12, 6.4.1–6.4.7.

Technical Details

The missing authentication (CWE-306) is in the fgfmd daemon — the process that handles communication between FortiManager and managed FortiGate devices via the FGFM (FortiGate-FortiManager) protocol (TCP/541). The daemon normally requires FortiGate devices to present a valid certificate before registering as managed devices. The vulnerability allows an attacker to register a fake FortiGate device without a valid certificate — then use the registered "device" connection to execute arbitrary commands on the FortiManager server.

FortiJump attack chain:

  1. Attacker sends crafted FGFM registration request from an arbitrary IP using a serial number that matches a real device in the target's FortiManager
  2. The fgfmd daemon accepts the registration without proper certificate validation
  3. The attacker's fake FortiGate connection has the same privileges as a legitimate managed device
  4. Attacker executes arbitrary commands on FortiManager via the authenticated FGFM channel
  5. Post-exploitation: extract all managed FortiGate configurations, SSL-VPN credentials, admin passwords

Discovery

Mandiant (Google Threat Intelligence) identified active exploitation by UNC5820 before October 23, 2024. Fortinet had been aware of the vulnerability and was preparing a patch when Mandiant disclosed active exploitation, triggering simultaneous patch release and public disclosure.

Exploitation Context

UNC5820, a Mandiant-tracked Chinese state-sponsored threat actor, exploited FortiJump as a zero-day beginning in late September 2024 — approximately three weeks before the October 23 advisory. UNC5820 used the access to:

  • Register fake FortiGate devices to gain FortiManager API access
  • Extract configuration files containing FortiGate device credentials, VPN configuration, and network topology
  • Exfiltrate data enabling follow-on attacks against the managed FortiGate estate

Approximately 50+ organizations globally were compromised in the initial UNC5820 campaign according to Mandiant's analysis.

Remediation

  1. Apply patches immediately per the version table above. The CISA deadline was November 13, 2024.
  2. Restrict FGFM access (TCP/541) to FortiManager from only known FortiGate IP addresses — do not expose FortiManager to the internet.
  3. Audit registered devices in FortiManager for unknown serial numbers or devices registered from unexpected IP addresses.
  4. Rotate all credentials stored in FortiManager: FortiGate admin passwords, SSL-VPN user databases, RADIUS/LDAP credentials, and any secrets in managed device configurations.
  5. Enable IP allowlisting for FortiManager device registration to restrict which IPs can register FortiGate devices.
  6. Hunt for compromise indicators: review FortiManager logs for registrations of devices from unexpected source IPs around September–October 2024.

Key Details

PropertyValue
CVE ID CVE-2024-47575
Vendor / Product Fortinet — FortiManager
NVD Published2024-10-23
NVD Last Modified2025-10-24
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-306 find similar ↗
CISA KEV Added2024-10-23
CISA KEV Deadline2024-11-13
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-11-13. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-10-23Zero-day disclosed; Fortinet releases patches; CISA adds to KEV; Mandiant attributes to UNC5820
2024-11-13CISA BOD 22-01 remediation deadline

References

ResourceType
Fortinet PSIRT Advisory FG-IR-24-423 — FortiManager Vendor Advisory
NVD — CVE-2024-47575 Vulnerability Database
CISA KEV Catalog Entry US Government
Mandiant/Google — FortiManager Zero-Day Exploitation (FortiJump) Security Research

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML