CVE-2024-47575 - FortiManager Authentication Bypass

Details
Content
Dependencies
Version History

This pack handles CVE-2024-47575 - FortiManager Authentication Bypass vulnerability

FortiJump Vulnerability (CVE-2024-47575)

On October 25, 2023, a critical zero-day vulnerability was disclosed in FortiManager, a centralized management platform for Fortinet devices. This vulnerability, known as FortiJump and tracked as CVE-2024-47575, allows an unauthenticated attacker with network access to execute arbitrary code or commands on the affected system, potentially leading to complete system compromise. This vulnerability has been rated Critical severity (CVSS 9.8).

Impacted Versions

The vulnerability impacts the following FortiManager versions:

FortiManager versions 7.2.0 to 7.2.3
FortiManager versions 7.0.0 to 7.0.7
FortiManager versions 6.4.0 to 6.4.11
FortiManager versions 6.2.x and earlier (Potentially Affected)

Patched Versions

FortiManager versions 7.2.4 and above
FortiManager versions 7.0.8 and above
FortiManager versions 6.4.12 and above

This pack provides you with a first response kit which includes

Collect, Extract, and Enrich Indicators
Threat Hunting using XQL Query Engine
- Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries to function.
Mitigations and Workarounds

References

Fortinet PSIRT Advisory FG-IR-24-423

FortiJump Vulnerability (CVE-2024-47575)

Impacted Versions

The vulnerability impacts the following FortiManager versions:

FortiManager versions 7.2.0 to 7.2.3
FortiManager versions 7.0.0 to 7.0.7
FortiManager versions 6.4.0 to 6.4.11
FortiManager versions 6.2.x and earlier (Potentially Affected)

Patched Versions

FortiManager versions 7.2.4 and above
FortiManager versions 7.0.8 and above
FortiManager versions 6.4.12 and above

This pack provides you with a first response kit which includes

Collect, Extract, and Enrich Indicators
Threat Hunting using XQL Query Engine
- Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries to function.
Mitigations and Workarounds

References

Fortinet PSIRT Advisory FG-IR-24-423

Playbooks

Name

Description

CVE-2024-47575 - FortiManager Authentication Bypass

CVE-2024-47575, also known as FortiJump, is a critical zero-day vulnerability affecting FortiManager, a centralized management platform for Fortinet devices. The vulnerability arises due to missing authentication checks in specific FortiManager REST API endpoints. An unauthenticated attacker with network access to the FortiManager device can exploit this flaw to execute arbitrary code or commands, potentially leading to complete system compromise.

Affected Versions

FortiManager Version	Status
7.2.0 to 7.2.3	Affected
7.0.0 to 7.0.7	Affected
6.4.0 to 6.4.11	Affected
6.2.x and earlier	Potentially Affected
7.2.4 and above	Patched
7.0.8 and above	Patched
6.4.12 and above	Patched

Note:

Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):

config system global
set fmg-status enable
end

And at least one interface with the fgfm service enabled is also impacted by this vulnerability.

Playbook Flow

Create, Tag, and Block Indicators
Hunt Automatically for Suspicious Behavior Related to the exploitation flow using XQL
Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries completion.
Provide Mitigations and Workarounds

References:

Fortinet PSIRT Advisory FG-IR-24-423

By following this playbook, organizations can effectively respond to and mitigate the risks associated with CVE-2024-47575 (FortiJump).

Playbooks

Name

Description

CVE-2024-47575 - FortiManager Authentication Bypass

Affected Versions

FortiManager Version	Status
7.2.0 to 7.2.3	Affected
7.0.0 to 7.0.7	Affected
6.4.0 to 6.4.11	Affected
6.2.x and earlier	Potentially Affected
7.2.4 and above	Patched
7.0.8 and above	Patched
6.4.12 and above	Patched

Note:

Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):

config system global
set fmg-status enable
end

And at least one interface with the fgfm service enabled is also impacted by this vulnerability.

Playbook Flow

Create, Tag, and Block Indicators
Hunt Automatically for Suspicious Behavior Related to the exploitation flow using XQL
Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries completion.
Provide Mitigations and Workarounds

References:

Fortinet PSIRT Advisory FG-IR-24-423

By following this playbook, organizations can effectively respond to and mitigate the risks associated with CVE-2024-47575 (FortiJump).

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	October 28, 2024
Last Release	March 23, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.