Malware & Threats

Fortinet Confirms Zero-Day Exploit Targeting FortiManager Systems

Fortinet confirms zero-day exploits hitting critical (CVSS severity score 9.8/10) remote code execution bug in the FortiManager platform.

Fortinet vulnerability

Another critical Fortinet zero-day has been discovered being exploited in-the-wild.

The US government’s cybersecurity agency CISA on Wednesday called urgent attention to a critical vulnerability in Fortinet’s FortiManager platform and warned that remote hackers are already launching code execution exploits.

The security defect, tracked as CVE-2024-47575, is documented as a  “missing authentication for critical function vulnerability” in the FortiManager fgfmd daemon.

According to a critical-severity Fortinet advisory, the bug opens the door for remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. It carries a CVSS severity score of 9.8/10.

“Reports have shown this vulnerability to be exploited in the wild,” the company said. 

“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” Fortinet added.

Advertisement. Scroll to continue reading.

Fortinet said it has not received reports of any low-level system installations of malware or backdoors on compromised FortiManager systems. “To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices,” the company said.

Fortinet urged users to upgrade immediately to fixed versions across multiple product lines, with patches available for versions 7.0, 7.2, 7.4, and 7.6 of FortiManager. 

The company also published IOCs and technical workarounds to limit exposure by implementing IP whitelists and enabling certificate-based authentication

Affected users are being pushed to to reset credentials and thoroughly audit logs for signs of unauthorized activity starting from the known compromise date.

Since 2002, there have been at least 8 documented Fortinet zero-days added to CISA’s KEV (Known Exploited Vulnerabilities) catalog. These include gaping holes in the FortiOS SSL-VPN, FortiOS and FortiOS sslvpnd.

FortiManager is an enterprise-facing product used in network management and security operations.

Related: Organizations Warned of Exploited Fortinet FortiOS Vulnerability

Related: Fortinet Patches Code Execution Vulnerability in FortiOS

Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks

Related: Fortinet Patches Critical Vulnerabilities Leading to Code Execution

Related Content

Network Security

Researchers say credentials harvested from hundreds of thousands of FortiGate firewalls are being used to facilitate ransomware attacks by the INC and Lynx operations.

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Vulnerabilities

CVE-2026-20245, the 7th Cisco SD-WAN vulnerability exploited in 2026, was used for months prior to its disclosure and patching.

Vulnerabilities

The flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands.

Cybercrime

Using a custom sniffer, the threat actor has captured over 110 million credentials since at least February 2026.

Network Security

A database of over 86,000 confirmed working credentials was created during the credential-harvesting campaign.

Malware & Threats

The large-scale credential theft campaign hit roughly half of the internet-accessible Fortinet firewalls and VPNs.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version