Cybersecurity company Fortinet released an advisory on CVE-2024-47575, a critical zero-day vulnerability impacting several versions of their FortiManager network management software.
The company says a missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability has a CVSS v3 score of 9.8.
“Reports have shown this vulnerability to be exploited in the wild,” the October 23, 2024, advisory reads. “At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed device.”
Fortinet had reportedly warned customers about the vulnerability last week. Since mid-October, the flaw has been discussed online.
“Australian organisations should review their networks for use of vulnerable instances of ForitManager devices and implement the mitigation advice provided by the vendor,” warns the Australian…
