Fortinet warns of a potentially very serious vulnerability that is being actively abused, although it initially seemed to have no intention of communicating about it.
Fortinet customers better read this news extra carefully. The security specialist is communicating about a vulnerability in FortiManager, the central management platform for Fortinet products. A missing authentication allows outside parties to log into FortiManager without identity verification and remotely run malicious code in the platform via specially crafted requests,” Fortinet writes.
From FortiManager, attackers can move further on the network. Consequently, the vulnerability (CVE-2024-47575) receives a near-maximum CVSS score of 9.8. To emphasize the severity, Fortinet says the vulnerability is also being actively abused. According to expert estimates, at least 60,000 Fortinet customers are vulnerable.
The vulnerability affects several versions of FortiManager and FortiManager Cloud. In Fortinet’s bulletin, you can find out if you are on a vulnerable version and which version you can upgrade to to be secure again.
Under the mat
Fortinet initially did not appear to have any intention of communicating publicly about the vulnerability. The vulnerability came to light via Reddit, by a customer who wondered why Fortinet had rolled out an update to FortiManager. The public release notes stated that “no resolved issues have been reported. Customers were notified privately in mid-October.
Fortinet’s decision not to communicate publicly right away has been met with criticism, including from security expert Kevin Beaumont. Fortinet says it kept the vulnerability under the radar to protect its customers, but according to Beaumont, the company’s main concern was to protect itself.
“I’m not convinced that Fortinet’s narrative that they protect customers by not publicly disclosing a vulnerability effectively protects customers. This vulnerability has been widely exploited for some time. It protects no one by not being transparent, except perhaps itself,” Beaumont writes in his blog.
Perhaps Fortinet didn’t want to be in the news in a negative light again. The security specialist has had a tough year, with multiple vulnerabilities affecting the company’s customers. As icing on the cake, Fortinet itself was also hacked this year.