Fortinet releases patches for undisclosed critical FortiManager vulnerability
In the last couple of days, Fortinet has released critical security updates for FortiManager, to fix a critical vulnerability that is reportedly being exploited by Chinese threat actors.
Security updates are trickling out
The company, which is known for pushing out fixes for critical vulnerabilities before disclosing their existence to the public, has privately notified select customers a week ago and shared temporary mitigation advice.
The advice apparently includes configuring FortiManager to prevent devices with an unknown serial number (i.e., an unauthorized device) to register/connect to them.
Limiting access to FortiManager installations is also generally a good idea, but implementing the patches once they released is essential. Some are already available from Fortinet’s support portal.
No CVE, no details (yet)
The company has yet to publicly reveal details about or the CVE associated with this vulnerability, though the suggested mitigation might indicate that the issue resides in the “Fortigate to FortiManager” (fgfm) connection / communication / management capability.
Whether it is related to CVE-2024-23113 – a format string vulnerability that affects the FortiOS fgfm daemon – is open to speculation.
CVE-2024-23113 was patched earlier this year in FortiOS, FortiPAM, FortiProxy and FortiWeb. In early October, CISA confirmed that it is being exploited by attackers.