CVE-2024-47575
CVE-2024-47575
In short
FortiManager is missing authentication checks for critical functions, allowing anyone to send specially crafted requests and execute arbitrary code or commands on the system. This is a severe vulnerability that requires immediate patching.
Technical detail
CWE-306 (Missing Authentication for Critical Function) in FortiManager versions 6.2.0–7.6.0 and corresponding Cloud versions allows unauthenticated attackers to execute arbitrary code/commands via specially crafted requests to critical endpoints. No authentication is enforced before processing sensitive operations, enabling remote code execution without valid credentials.
Summary generated and translated by AI from the official description.
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C
Affected products
Fortinet · FortiManagerpublic PoCs found — 2
githubgithub.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575★ 98githubgithub.com/AnnnNix/CVE-2024-47575★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →