CVE-2024-47575 Explained: Fortinet FortiManager Missing Authentication — FortiJump
A CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager exploited as a zero-day by a suspected Chinese state actor (UNC5820). FortiManager manages the configurations of thousands of Fortinet devices — compromising it provides access to all managed device credentials and configurations.
CVE-2024-47575, dubbed FortiJump by Mandiant, is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager and FortiManager Cloud. An unauthenticated remote attacker sends a crafted request to the FGFM daemon — the protocol handler for FortiGate-to-FortiManager communication on TCP port 541 — and achieves code execution on the FortiManager server without any credentials.
Fortinet published the advisory on October 23, 2024. Mandiant confirmed that the Chinese-nexus threat actor UNC5820 had been exploiting the vulnerability since at least June 2024 — a four-month zero-day window. CISA added CVE-2024-47575 to the Known Exploited Vulnerabilities catalog the same day as the advisory. The strategic significance of compromising FortiManager is exceptional: it is the management plane for potentially thousands of Fortinet network security devices.
How CVE-2024-47575 Works: Missing Authentication in FGFM
FortiManager uses a proprietary protocol called FGFM (FortiGate to FortiManager) on TCP port 541 to communicate with and manage FortiGate firewall devices. This protocol handles device registration, configuration push, log collection, and management communication between FortiGate devices in the field and the central FortiManager server.
The vulnerability is classified as CWE-306 — Missing Authentication for Critical Function. The FGFM daemon exposes certain functionality without enforcing authentication checks. An attacker who can reach TCP port 541 on the FortiManager server can send specially crafted FGFM protocol messages that exploit this missing authentication to execute arbitrary commands on the server without presenting any valid credential.
Because the FGFM port is intentionally accessible from managed FortiGate devices — which may be deployed across customer sites or remote locations — it is often reachable from the internet on FortiManager deployments used by MSPs or enterprises with distributed infrastructure.
Identify FortiManager instances with TCP 541 accessible
Scan for FortiManager instances with the FGFM port (TCP 541) reachable. MSP and enterprise FortiManager deployments frequently have this port internet-accessible to manage distributed FortiGate devices at customer or remote sites.
Send crafted FGFM protocol request
Send a specially crafted FGFM message to port 541 on the FortiManager server. The unauthenticated request exploits the missing authentication check to reach privileged functionality.
Execute commands on FortiManager server
The missing authentication allows the attacker to call FortiManager functions that execute OS commands or manipulate FortiManager configuration with no credentials presented. The commands execute with FortiManager process privileges.
Access all managed device configurations
With access to the FortiManager server, the attacker retrieves stored configurations for all managed FortiGate devices — including VPN credentials, firewall rules, certificate private keys, and administrative accounts.
Exfiltrate and leverage for further compromise
UNC5820 exfiltrated device configurations and credentials from managed FortiGate devices. This provides a complete blueprint of the target organisation's network security infrastructure and credentials needed to access VPN endpoints, management interfaces, and internal services.
UNC5820 Campaign and Strategic Objectives
Mandiant's analysis of the UNC5820 FortiJump campaign revealed a threat actor with clear strategic objectives: intelligence collection about network security infrastructure and acquisition of credentials enabling persistent access to managed networks.
UNC5820's post-exploitation activity focused on: enumerating the FortiManager-managed device inventory to understand what networks and organisations were being managed, exfiltrating FortiOS configuration files for all reachable managed devices, extracting credentials and private keys from the exfiltrated configurations, and creating additional administrative objects within FortiManager for potential future access.
The targeting of MSP FortiManager instances is particularly significant. An MSP managing 50 enterprise customers via a single FortiManager deployment represents 50 simultaneous targets — their network configurations, VPN credentials, and firewall rules all exposed by a single FortiManager compromise. This is the same MSP targeting logic seen in ConnectWise ScreenConnect (CVE-2024-1709) and Kaseya VSA (CVE-2021-30116) exploitation.
“UNC5820 staged and exfiltrated the configuration files of the FortiGate devices managed by the compromised FortiManager. This data could be used by UNC5820 to further compromise the FortiGate devices managed by the FortiManager, as well as to attack the downstream environments managed by the affected Fortinet customers.”
— Mandiant FortiJump analysis, October 2024
Patching and Remediating CVE-2024-47575
Patch to a fixed FortiManager version. The FGFM port restriction workaround reduces but does not eliminate exposure for specific scenarios.
Upgrade FortiManager to a patched version immediately
Patched versions: 7.6.1+, 7.4.5+, 7.2.8+, 7.0.13+, 6.4.15+, 6.2.13+. Verify the running version in FortiManager System Settings > Dashboard. The upgrade path follows standard FortiManager upgrade procedures.
Restrict TCP 541 to known FortiGate device IPs
Apply a local-in policy or firewall rule restricting inbound connections on TCP port 541 to only the IP addresses of managed FortiGate devices. This does not eliminate the vulnerability for devices that may be compromised, but it removes arbitrary internet access to the FGFM port.
Enable IP allowlisting for FortiManager management access
Restrict the FortiManager management interface (HTTPS on port 443 and FGFM on port 541) to allowlisted IP addresses. Fortinet's advisory provides specific configuration steps for adding IP allowlisting via CLI for the FGFM port.
Investigate for UNC5820 indicators of compromise
Review FortiManager logs for unexpected device registrations, configuration export operations, and anomalous API calls. Mandiant's FortiJump advisory includes specific IOCs including file hashes and IP addresses associated with UNC5820 infrastructure.
Rotate all credentials in managed FortiGate configurations
If the FortiManager was running a vulnerable version with TCP 541 accessible from untrusted networks, assume configurations were exfiltrated. Rotate all VPN credentials, administrative passwords, and SSL certificates for every managed FortiGate device. This is operationally significant for MSPs managing large device fleets.
The bottom line
CVE-2024-47575 follows the same strategic logic as the Ivanti Connect Secure zero-day and the ConnectWise ScreenConnect vulnerability: compromise the management platform, access everything it manages. For FortiManager, 'everything it manages' means the complete security infrastructure of every customer or site under management — a single FortiManager compromise can be strategically equivalent to compromising every managed FortiGate.
MSPs using FortiManager to manage customer environments should treat this as a potential breach of their customer environments, not just a breach of their own infrastructure. The credential and configuration exfiltration documented by Mandiant provides attackers with the means to access any VPN endpoint, management interface, or internal service accessible through the managed FortiGate devices.
Frequently asked questions
What is CVE-2024-47575 (FortiJump)?
CVE-2024-47575 is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager and FortiManager Cloud. A remote unauthenticated attacker sends a specially crafted request to the FGFM daemon (the FortiGate-to-FortiManager protocol handler on TCP port 541), bypassing authentication and executing arbitrary code or commands on the FortiManager server.
Which FortiManager versions are affected by CVE-2024-47575?
Affected versions: FortiManager 7.6.0, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.12, 6.4.0–6.4.14, 6.2.0–6.2.12. Also: FortiManager Cloud 7.4.1–7.4.4, 7.2.1–7.2.7, 7.0.1–7.0.12, 6.4 (all). Patched versions: FortiManager 7.6.1+, 7.4.5+, 7.2.8+, 7.0.13+, 6.4.15+, 6.2.13+.
Why is compromising FortiManager so dangerous?
FortiManager is the centralised management platform for Fortinet's security fabric — it holds the configurations for all managed FortiGate firewalls, FortiSwitch devices, and FortiAP access points. The configurations contain VPN credentials, firewall rules, routing tables, certificate stores, and administrative credentials. A FortiManager compromise gives an attacker visibility into and control over every Fortinet device under management, potentially affecting thousands of devices across an entire customer environment or MSP portfolio.
Was CVE-2024-47575 exploited as a zero-day?
Yes. Mandiant confirmed exploitation by UNC5820 — a suspected Chinese state-sponsored actor — beginning in June 2024, four months before Fortinet's public advisory on October 23, 2024. Mandiant designated the campaign 'FortiJump.' UNC5820 exfiltrated configuration files, credentials, and other data from managed FortiGate devices via the compromised FortiManager instances.
What data did UNC5820 exfiltrate via CVE-2024-47575?
Mandiant documented UNC5820 exfiltrating device lists, FortiOS configurations, and credentials from the managed FortiGate devices accessible via the compromised FortiManager. This includes VPN credentials, firewall rule sets, and private keys — the complete network security configuration of every managed device.
Sources & references
- NVD
- Fortinet PSIRT Advisory FG-IR-24-423
- Mandiant — FortiJump: Fortinet FortiManager CVE-2024-47575 Zero-Day Exploitation
- CISA Known Exploited Vulnerabilities Catalog
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.