Safeguard.sh
Vulnerability Analysis

FortiJump: CVE-2024-47575 FortiManager Zero-Day Exploited at Scale

CVE-2024-47575, dubbed FortiJump, allowed unauthenticated attackers to execute commands on FortiManager devices. Mandiant confirmed exploitation by a new threat cluster targeting managed Fortinet infrastructure.

Bob
Threat Intelligence Analyst
6 min read

On October 23, 2024, Fortinet disclosed CVE-2024-47575, a critical missing authentication vulnerability in the FortiManager fgfmd daemon. Rated CVSS 9.8, the vulnerability allows an unauthenticated attacker to execute arbitrary code or commands on FortiManager devices via specially crafted requests. The security community quickly dubbed it "FortiJump."

Mandiant, working with Fortinet on incident response, attributed the exploitation to a previously unknown threat cluster tracked as UNC5820. The attackers had been exploiting the vulnerability since at least June 2024, four months before public disclosure.

Why FortiManager Is a High-Value Target

FortiManager is Fortinet's centralized management platform for FortiGate firewalls. Organizations use it to manage configurations, firmware updates, and policies across their entire fleet of Fortinet devices. A typical FortiManager deployment manages dozens to thousands of FortiGate firewalls.

Compromising FortiManager gives an attacker:

  • Complete firewall configurations for every managed FortiGate, including firewall rules, VPN configurations, and routing tables. This is essentially a network blueprint.
  • Stored credentials for FortiGate devices, including admin passwords and FortiGuard service credentials.
  • The ability to push configuration changes to all managed firewalls, potentially opening holes in network security, redirecting traffic, or deploying persistent backdoors.
  • FortiGuard integration data, including threat intelligence feeds and sandbox analysis results that reveal what the organization considers sensitive.

In short, FortiManager is the control plane for an organization's entire Fortinet security infrastructure. Compromising it compromises everything it manages.

Technical Details

The vulnerability exists in the FortiGate-to-FortiManager (fgfm) protocol, which FortiGate devices use to communicate with their FortiManager. The fgfmd daemon listens on TCP port 541 and handles device registration, heartbeat communication, and configuration synchronization.

CVE-2024-47575 is a missing authentication check in the fgfmd daemon. An attacker who can reach port 541 can send specially crafted requests that are processed without authentication. This allows the attacker to:

  1. Register a rogue FortiGate device with the FortiManager.
  2. Execute commands on the FortiManager system through the management protocol.
  3. Access the FortiManager's database, which contains configurations for all managed devices.

The attack does not require any credentials, certificates, or prior access. It requires only network connectivity to the fgfmd port.

Affected versions:

  • FortiManager 7.6.0
  • FortiManager 7.4.0 through 7.4.4
  • FortiManager 7.2.0 through 7.2.7
  • FortiManager 7.0.0 through 7.0.12
  • FortiManager 6.4.0 through 6.4.14
  • FortiManager Cloud (multiple versions)

Observed Exploitation by UNC5820

Mandiant's investigation revealed that UNC5820 had been exploiting CVE-2024-47575 since at least June 27, 2024. The threat actor's operations focused on data theft rather than destructive activity.

The observed attack pattern:

  1. Initial exploitation: UNC5820 connected to exposed FortiManager instances via the fgfm protocol and exploited the authentication bypass.
  2. Device registration: The attacker registered rogue devices with the FortiManager, which caused the FortiManager to sync configuration data to the attacker-controlled "device."
  3. Configuration exfiltration: The attacker harvested FortiGate configurations from the FortiManager database, including:
    • Detailed IP addressing and routing information.
    • FortiGate admin credentials (hashed but potentially crackable).
    • FortiOS configurations including firewall rules and VPN settings.
  4. Staging files: Mandiant identified staging archives containing compressed configuration data on compromised FortiManager systems.

Notably, Mandiant did not observe UNC5820 pushing malicious configurations to managed FortiGates or moving laterally into customer networks during the investigation. However, the stolen configuration data provides everything needed for future intrusion operations.

The identity and motivation of UNC5820 remain unclear. The targeting pattern and operational discipline are consistent with a state-sponsored espionage group, but Mandiant has not made a formal attribution to any nation-state.

The Fortinet Vulnerability Track Record

CVE-2024-47575 continues a concerning trend of critical vulnerabilities in Fortinet products being exploited as zero-days:

  • CVE-2024-21762 (February 2024): Out-of-bounds write in FortiOS SSL VPN, exploited in the wild.
  • CVE-2024-23113 (February 2024): Format string vulnerability in fgfmd (the same daemon affected by FortiJump).
  • CVE-2023-27997 (June 2023): Heap buffer overflow in FortiOS SSL VPN (XORtigate).
  • CVE-2022-42475 (December 2022): Heap buffer overflow in FortiOS SSL VPN, exploited by Chinese state-sponsored actors.

The recurring pattern of critical, unauthenticated vulnerabilities in internet-facing Fortinet services raises serious concerns for organizations that depend on Fortinet infrastructure for network security.

Mitigation and Remediation

Immediate actions:

  1. Patch FortiManager to the fixed versions: 7.6.1, 7.4.5, 7.2.8, 7.0.13, or 6.4.15.
  2. Restrict access to fgfmd (TCP 541). FortiManager's management port should not be accessible from the internet. Restrict it to known FortiGate device IPs.
  3. Verify registered devices: Review the list of FortiGate devices registered with your FortiManager. Look for unrecognized devices, particularly those registered after June 2024.
  4. Enable the fgfm-deny-unknown setting: This prevents unregistered devices from connecting to FortiManager: 
    config system global
  set fgfm-deny-unknown enable
end
  5. Rotate credentials: Change FortiGate admin passwords and any credentials stored in FortiManager. Assume that all stored configurations have been compromised.

Forensic investigation:

  • Review FortiManager logs for connections from unknown IP addresses on port 541.
  • Check for unauthorized device registrations in the FortiManager device database.
  • Look for staging files (compressed archives) in temporary directories on the FortiManager filesystem.
  • Audit FortiGate configurations for unauthorized changes, particularly firewall rules, VPN configurations, and admin accounts.

Network Security Appliance Management Best Practices

FortiJump highlights risks inherent in centralized management platforms:

Segment management infrastructure: FortiManager and similar management platforms should be on isolated management networks, accessible only from authorized jump boxes or management workstations. They should never be directly accessible from the internet.

Monitor management plane activity: Log and alert on all device registrations, configuration changes, and administrative actions on management platforms. Anomalous activity should trigger immediate investigation.

Apply defense in depth: Do not rely solely on the management platform's built-in authentication. Use network-level access controls, client certificates, and additional authentication mechanisms to protect access.

Maintain offline configuration backups: Keep periodic backups of firewall configurations in a location that is not accessible from the management platform. This provides a recovery path if the management platform is compromised.

How Safeguard.sh Helps

FortiJump demonstrates that your security infrastructure management platforms are critical supply chain components.

  • Management platform inventory tracks FortiManager and other network management tools in your SBOM, ensuring you are immediately alerted to vulnerabilities affecting your security control plane.
  • Exposure assessment identifies which management interfaces are accessible from untrusted networks, flagging misconfigurations before attackers exploit them.
  • Credential tracking monitors the lifecycle of credentials stored in management platforms, supporting timely rotation and reducing the impact of a potential compromise.
  • Vendor risk assessment considers the security track record of your network security vendors, providing data-driven input for procurement and renewal decisions.

When the tool that manages all your firewalls is compromised, every firewall it manages is at risk. Visibility into your management infrastructure is not a nice-to-have; it is a fundamental security requirement.

fortinetfortimanagerzero-day
Back to all articles

More on #fortinet

View all →
Vulnerability Analysis

Fortinet FortiGate Authentication Bypass: CVE-2024-55591 Explained

5 min read
Vulnerability Management

Fortinet FortiOS CVE-2024-21762: Exploitation Patterns

5 min read
Vulnerability Analysis

FortiGate SSL-VPN Zero-Day (CVE-2022-42475): How a Heap Overflow Gave Attackers the Keys

6 min read

Related articles in Vulnerability Analysis

Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. Root cause and remediation.

March 14, 2026Read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

March 12, 2026Read
Vulnerability Analysis

CVE-2024-29849 Veeam Auth Bypass Analysis

CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and patching guidance.

March 10, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.