FortiManager update seems to close security gap that has already been attacked

There is growing information on social networks that Fortinet is using updated versions of FortiManager to seal a vulnerability that is already being attacked in the wild. IT security researcher Kevin Beaumont raised the question on Mastodon at the end of last week as to whether the "FortiManager zero-day situation has already received a CVE entry or a patch".

At the weekend, Beaumont added that six new versions of FortiManager had been released to close the zero-day gap in the product. A CVE entry or a description of the problem is still missing. On Reddit, those affected are asking what the FortiManager 7.2.8 release is good for. The latest posts in the Mastodon thread indicate that malicious actors are apparently registering false FortiGates in FortiManager with hostnames such as "localhost" and misusing them to inject and execute malicious code. Beaumont is a generally well-informed IT security researcher.

Fortinet: Some customers informed

Apparently, Fortinet has already informed some customers "in private" that updates are available and should be installed quickly. The updated versions are FortiManager 7.6.1, 7.4.5, 7.2.8, 7.0.13 and 6.4.15 or newer.

These are available for download from the manufacturer via the channels known to IT managers. Admins should apply the updates quickly, as the vulnerability – is currently only being exploited according to rumors –. The Fortiguard PSIRT overview page (all Fortinet products activated in the link) currently only displays an error message stating that it is not accessible. During the course of the day, however, only older information dating back to last week could be found there. There was no new entry for FortiManager.

Around two weeks ago, it became known that further critical Fortinet vulnerabilities had been attacked. The US IT security authority CISA had warned of this. Updates to close the vulnerabilities had been available since February.

(dmk)