Reference material — not professional advice. Test in staging, back up first, verify against your specific version. Use your own judgment for your environment.
● Critical · CVSS 9.8 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2024-47575: FortiManager FortiJump Missing Authentication

*By Sai Kiran Pandrala*

⚡ At a glance
SeverityCVSS 9.8, Critical
Actively exploited?Yes, listed in CISA KEV
AffectedFortiManager 7.x and 6.x, see Fortinet PSIRT FG-IR-24-423 for the exact build matrix
Fixed inFortiManager 7.6.1, 7.4.5, 7.2.8, 7.0.13, 6.4.15 (and later) per the Fortinet advisory
Type (CWE)CWE-306: Missing Authentication for Critical Function

⚠️ Patch and audit. Mandiant attributed exploitation of this CVE to a cluster they call UNC5820. Multiple organizations were compromised before the public advisory. Treat as live.

What is CVE-2024-47575?

FortiManager is the centralized management platform for Fortinet's FortiGate firewalls. The FortiGate-to-FortiManager (FGFM) protocol on TCP 541 is how managed FortiGates register and communicate. The vulnerability, known publicly as FortiJump, is that FortiManager does not properly authenticate the FortiGate device performing the registration. An attacker who can reach TCP 541 can register an arbitrary "FortiGate" to the manager, and the registration flow gives the attacker code execution on the FortiManager itself.

From there, the attacker can read every managed firewall's configuration, push policy changes to the real managed devices, and pivot deep into the network the FortiManager controls.

Am I affected?

You are affected if you run FortiManager at any version below the fix line listed in Fortinet PSIRT FG-IR-24-423. The affected version matrix covers:

To check your FortiManager version:


get system status

The line Version shows the train and patch level.

Confirm whether FGFM (TCP 541) is reachable from beyond your administrative network — that exposure determines urgency.

How to fix CVE-2024-47575

  1. Open Fortinet PSIRT advisory FG-IR-24-423 for the exact fix matrix.
  2. Download the patched FortiManager firmware from the Fortinet support portal.
  3. Back up the FortiManager configuration:

# Vendor advisory: https://www.fortiguard.com/psirt/FG-IR-24-423
   execute backup all-settings ftp <ftp-server> <user> <pass>
  1. Apply the firmware upgrade via the GUI: System Settings → Dashboard → System Information → Firmware Version → Upload. Or via CLI:

# Vendor advisory: https://www.fortiguard.com/psirt/FG-IR-24-423
   execute restore image ftp /<image>.out <ftp-server> <user> <pass>
  1. The appliance reboots after the upgrade. Expect 5-10 minutes of management downtime.
  2. Apply the workaround command Fortinet documented in the advisory if your version supports it (limits FGFM access to whitelisted FortiGate serial numbers).

Forensic IoC hunt (critical)

Fortinet and Mandiant published specific IoCs for UNC5820 exploitation. Run these against your FortiManager:


diagnose dvm device list

Look for managed-device entries you don't recognize. Look for serial numbers that don't match real devices in your inventory. Check /var/log/ on FortiManager (via the diag command shell) for unusual FGFM connection patterns.

If any IoC is present, the FortiManager is compromised:

Upgrade FortiOS / FortiGate to the patched release


# Verify the running build
get system status | grep -i version

# Target FortiOS build is listed in the Fortinet advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-423
execute restore image tftp <patched-image>.out <tftp-server-ip>

# The firewall reboots automatically. Re-check version after reboot.
get system status | grep -i version

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://fortiguard.fortinet.com/psirt/FG-IR-24-423
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2024-47575 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Fortinet documented an interim mitigation: restrict FGFM access to known FortiGate serial numbers:


config system global
    set fgfm-deny-unknown enable
end

This rejects FGFM registration from any FortiGate whose serial isn't already in the FortiManager's known-device list. It's a strong control if you have a stable, fully-inventoried FortiGate fleet.

Additionally:

How to verify the fix worked

  1. Confirm the FortiManager version:

   get system status

Output should show the patched build (7.6.1, 7.4.5, 7.2.8, 7.0.13, 6.4.15 or later).

  1. The IoC hunt above should return only known devices.
  1. Run an external vulnerability scan against TCP 541. CVE-2024-47575 detection should clear.

Frequently asked questions

Other vulnerabilities in the same area that are worth patching alongside this one:

What is "FortiJump"?

"FortiJump" is the public name researchers gave to this CVE , derived from the way an attacker uses the FortiManager registration to "jump" into the FortiGate management plane. The vulnerability ID is CVE-2024-47575; the marketing name and the CVE refer to the same flaw.

Is FortiManager Cloud affected?

Fortinet patched FortiManager Cloud directly on their infrastructure. Self-managed FortiManager Cloud Connector deployments still need to follow the patch procedure. Confirm against the FG-IR-24-423 advisory for your specific deployment model.

Is FortiAnalyzer affected?

FortiAnalyzer is mentioned in the FG-IR-24-423 advisory because it shares FGFM-protocol code. Apply the corresponding patched FortiAnalyzer build per the same advisory.

References

*This guide was assembled from the Fortinet PSIRT advisory FG-IR-24-423, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Fortinet's advisory before applying changes in production.*