CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2024-47575 Explained: Fortinet FortiManager Missing Authentication, FortiJump

A CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager exploited as a zero-day by a suspected Chinese state actor (UNC5820). FortiManager manages the configurations of thousands of Fortinet devices, compromising it provides access to all managed device credentials and configurations.

Sources:NVD|Fortinet PSIRT Advisory FG-IR-24-423|Mandiant, FortiJump: Fortinet FortiManager CVE-2024-47575 Zero-Day Exploitation|CISA Known Exploited Vulnerabilities Catalog
9.8
CVSS Score
0-day
Exploited before patch
None
Authentication required
50M+
Fortinet devices under FortiManager management

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-47575, dubbed FortiJump by Mandiant, is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager and FortiManager Cloud. An unauthenticated remote attacker sends a crafted request to the FGFM daemon, the protocol handler for FortiGate-to-FortiManager communication on TCP port 541, and achieves code execution on the FortiManager server without any credentials.

Fortinet published the advisory on October 23, 2024. Mandiant confirmed that the Chinese-nexus threat actor UNC5820 had been exploiting the vulnerability since at least June 2024, a four-month zero-day window. CISA added CVE-2024-47575 to the Known Exploited Vulnerabilities catalog the same day as the advisory. The strategic significance of compromising FortiManager is exceptional: it is the management plane for potentially thousands of Fortinet network security devices.

How CVE-2024-47575 Works: Missing Authentication in FGFM

FortiManager uses a proprietary protocol called FGFM (FortiGate to FortiManager) on TCP port 541 to communicate with and manage FortiGate firewall devices. This protocol handles device registration, configuration push, log collection, and management communication between FortiGate devices in the field and the central FortiManager server.

The vulnerability is classified as CWE-306, Missing Authentication for Critical Function. The FGFM daemon exposes certain functionality without enforcing authentication checks. An attacker who can reach TCP port 541 on the FortiManager server can send specially crafted FGFM protocol messages that exploit this missing authentication to execute arbitrary commands on the server without presenting any valid credential.

Because the FGFM port is intentionally accessible from managed FortiGate devices, which may be deployed across customer sites or remote locations, it is often reachable from the internet on FortiManager deployments used by MSPs or enterprises with distributed infrastructure.

1

Identify FortiManager instances with TCP 541 accessible

Scan for FortiManager instances with the FGFM port (TCP 541) reachable. MSP and enterprise FortiManager deployments frequently have this port internet-accessible to manage distributed FortiGate devices at customer or remote sites.

2

Send crafted FGFM protocol request

Send a specially crafted FGFM message to port 541 on the FortiManager server. The unauthenticated request exploits the missing authentication check to reach privileged functionality.

3

Execute commands on FortiManager server

The missing authentication allows the attacker to call FortiManager functions that execute OS commands or manipulate FortiManager configuration with no credentials presented. The commands execute with FortiManager process privileges.

4

Access all managed device configurations

With access to the FortiManager server, the attacker retrieves stored configurations for all managed FortiGate devices, including VPN credentials, firewall rules, certificate private keys, and administrative accounts.

5

Exfiltrate and leverage for further compromise

UNC5820 exfiltrated device configurations and credentials from managed FortiGate devices. This provides a complete blueprint of the target organisation's network security infrastructure and credentials needed to access VPN endpoints, management interfaces, and internal services.

UNC5820 Campaign and Strategic Objectives

Mandiant's analysis of the UNC5820 FortiJump campaign revealed a threat actor with clear strategic objectives: intelligence collection about network security infrastructure and acquisition of credentials enabling persistent access to managed networks.

UNC5820's post-exploitation activity focused on: enumerating the FortiManager-managed device inventory to understand what networks and organisations were being managed, exfiltrating FortiOS configuration files for all reachable managed devices, extracting credentials and private keys from the exfiltrated configurations, and creating additional administrative objects within FortiManager for potential future access.

The targeting of MSP FortiManager instances is particularly significant. An MSP managing 50 enterprise customers via a single FortiManager deployment represents 50 simultaneous targets, their network configurations, VPN credentials, and firewall rules all exposed by a single FortiManager compromise. This is the same MSP targeting logic seen in ConnectWise ScreenConnect (CVE-2024-1709) and Kaseya VSA (CVE-2021-30116) exploitation.

UNC5820 staged and exfiltrated the configuration files of the FortiGate devices managed by the compromised FortiManager. This data could be used by UNC5820 to further compromise the FortiGate devices managed by the FortiManager, as well as to attack the downstream environments managed by the affected Fortinet customers.

Mandiant FortiJump analysis, October 2024
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Remediating CVE-2024-47575

Patch to a fixed FortiManager version. The FGFM port restriction workaround reduces but does not eliminate exposure for specific scenarios.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2024-47575 follows the same strategic logic as the Ivanti Connect Secure zero-day and the ConnectWise ScreenConnect vulnerability: compromise the management platform, access everything it manages. For FortiManager, 'everything it manages' means the complete security infrastructure of every customer or site under management, a single FortiManager compromise can be strategically equivalent to compromising every managed FortiGate.

MSPs using FortiManager to manage customer environments should treat this as a potential breach of their customer environments, not just a breach of their own infrastructure. The credential and configuration exfiltration documented by Mandiant provides attackers with the means to access any VPN endpoint, management interface, or internal service accessible through the managed FortiGate devices.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2024-47575 (FortiJump)?

CVE-2024-47575 is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager and FortiManager Cloud. A remote unauthenticated attacker sends a specially crafted request to the FGFM daemon (the FortiGate-to-FortiManager protocol handler on TCP port 541), bypassing authentication and executing arbitrary code or commands on the FortiManager server.

Which FortiManager versions are affected by CVE-2024-47575?

Affected versions: FortiManager 7.6.0, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.12, 6.4.0–6.4.14, 6.2.0–6.2.12. Also: FortiManager Cloud 7.4.1–7.4.4, 7.2.1–7.2.7, 7.0.1–7.0.12, 6.4 (all). Patched versions: FortiManager 7.6.1+, 7.4.5+, 7.2.8+, 7.0.13+, 6.4.15+, 6.2.13+.

Why is compromising FortiManager so dangerous?

FortiManager is the centralised management platform for Fortinet's security fabric, it holds the configurations for all managed FortiGate firewalls, FortiSwitch devices, and FortiAP access points. The configurations contain VPN credentials, firewall rules, routing tables, certificate stores, and administrative credentials. A FortiManager compromise gives an attacker visibility into and control over every Fortinet device under management, potentially affecting thousands of devices across an entire customer environment or MSP portfolio.

Was CVE-2024-47575 exploited as a zero-day?

Yes. Mandiant confirmed exploitation by UNC5820, a suspected Chinese state-sponsored actor, beginning in June 2024, four months before Fortinet's public advisory on October 23, 2024. Mandiant designated the campaign 'FortiJump.' UNC5820 exfiltrated configuration files, credentials, and other data from managed FortiGate devices via the compromised FortiManager instances.

What data did UNC5820 exfiltrate via CVE-2024-47575?

Mandiant documented UNC5820 exfiltrating device lists, FortiOS configurations, and credentials from the managed FortiGate devices accessible via the compromised FortiManager. This includes VPN credentials, firewall rule sets, and private keys, the complete network security configuration of every managed device.

How do I detect if my FortiManager was compromised via CVE-2024-47575?

Check /var/log/fgfmd.log for unexpected FGFM device registrations and unauthenticated requests. Key indicators: new FortiGate serial numbers appearing in the managed device list that do not correspond to legitimate devices in your inventory, unexpected configuration changes pushed to managed FortiGate devices, and files created in /tmp/ or FortiManager staging directories at unexpected times. Run Fortinet's PSIRT integrity verification script to validate binary integrity. Mandiant's FortiJump report includes YARA rules for UNC5820-specific artifacts and additional hunting queries for Splunk and Microsoft Sentinel.

Sources & references

  1. NVD
  2. Fortinet PSIRT Advisory FG-IR-24-423
  3. Mandiant, FortiJump: Fortinet FortiManager CVE-2024-47575 Zero-Day Exploitation
  4. CISA Known Exploited Vulnerabilities Catalog

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.