惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
美团技术团队
T
Tenable Blog
大猫的无限游戏
大猫的无限游戏
Schneier on Security
Schneier on Security
S
Schneier on Security
博客园_首页
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
T
Tailwind CSS Blog
GbyAI
GbyAI
C
CERT Recently Published Vulnerability Notes
博客园 - 【当耐特】
IT之家
IT之家
G
Google Developers Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
Vercel News
Vercel News
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
Cisco Talos Blog
Cisco Talos Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Project Zero
Project Zero
V
V2EX
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
月光博客
月光博客
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
MongoDB | Blog
MongoDB | Blog
F
Full Disclosure
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
N
News and Events Feed by Topic
G
GRAHAM CLULEY
H
Hacker News: Front Page
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
L
LINUX DO - 最新话题
L
Lohrmann on Cybersecurity
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
C
Cybersecurity and Infrastructure Security Agency CISA
Recent Announcements
Recent Announcements
C
Cisco Blogs
L
LINUX DO - 热门话题

Todyl Blog

CyberChef: How to Decode & Decrypt Malicious Scripts (Step-by-Step Guide) Achieving Zero Trust with SASE: A Practical Roadmap for Modern Network Securityso like MSP Security Maturity Assessment: Why 79% of MSPs Are Stuck in 2025 The Rising Threat of Malicious AI: What Every Organization Needs to Know Iran Cyber Threat 2026: What SMBs and MSPs Need to Know The OneStart AI Browser Deception Cyber Insurance Requirements Based on Industry Why Third-Party Security Certification Is Your MSP's Competitive Edge Why Cyber Insurance Carriers Are Shifting to Security Assurance Iran Conflict and Cyber Risk: What North American Organizations Need to Know ‍ Why Cyber Resilience Requires Security, Compliance, and Insurance MSP Security Services: How to Position Identity Protection as Competitive Advantage Identity Security Gap Assessment: A Step-by-Step Guide for MSPs How Credential Theft Attacks Are Costing MSP Clients Millions Do I Need Cyber Insurance as a Small Business? Advanced Persistent Threats (APTs) Explained Preparing for CMMC Level 1: What Your Organization Needs to Do The Real Cost of Doing Nothing in Cybersecurity MSP Security: Build vs Buy SOC The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk Cyber Threat Recovery Strategies for MSPs What MSPs Need to Know about CIRCIA Final Rule ClickFix: The Evolution of Copy-Paste Social Engineering Akira Ransomware: Threat Assessment of a Scalable RaaS Operation The Dos and Don’ts of Applying for a Cyber Insurance Policy What Is Threat Hunting? A Practical Guide for MSPs and SMBs The Business Case for Cyber Threat Management Evaluating Free and Open Source SIEM Tools in 2026 How organizations can combat BEC Using SASE to help meet cyber insurance requirements Introducing the Anomaly Framework Stopping Identity Threats with ITDR through MXDR Security Operations Over Tools Beyond Tools: A Strategic Approach to Data Security Cyber Threat Response Strategies for MSPs Threat Advisory: Email Account Compromise BECs In the Wild: When Millions of People Are Expecting the Same Email Michigan and Wisconsin Proposed Age Verification Bills and the Impact on VPNs and SASE: What You Need to Know Cyber Threat Detection Strategies for MSPs Cyber Threat Prevention Strategies for MSPs Simplifying CMMC Level 1 with Todyl GRC How to Complete Your CMMC Level 1 Self-Assessment: A Step-by-Step Walkthrough Cyber Threats Don't Take Time Off How MSPs Build Lasting Client Relationships Through Proactive Operations Risk Management for MSPs: Why Business Context Changes Everything 5 Pillars for Security Program Growth in 2025 One Action MSPs can take to Address Risk and Secure Clients Building Resilience in a Perimeter-less World with Defense-in-Depth Aligning Technology Implementation to Business Outcomes Top 5 Myths about Cybersecurity How Conditional Access Transforms Your Cybersecurity Program Why MSPs need to embrace a prescriptive model How Texas SB 2610 Positions MSPs as Strategic Risk Advisors Simplifying cybersecurity maturity with managed cloud SIEM Addressing firewall vulnerabilities Understanding the Pitfalls of RDP MSP Zero-Day Response Plan: When Security Tools Can't Help You Old is Gold: Tackling Persistent Vulnerabilities How MXDR drives operational efficiencies Using SASE for secure remote access How to find the best endpoint security solution The Cyber Insurance Crisis: Why MSPs and Their Clients Are Struggling What to ask of a prospective endpoint security vendor Thinking Red, Acting Blue: Turning Attack Tactics in Your Favor Zero-Day Attacks and False Alarms: Lessons for MSPs Dissecting the Recent Rise in 2025 Zero Days MSP Security Monitoring Strategy: Identity and Cloud Blind Spots Introducing the Todyl Community: A Collaborative Platform for MSPs Threat Advisory: PDFast Freeware Compromise Navigating Today’s Cybersecurity Threat Landscape: Where MSPs Should Start Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients Partner Spotlight: GoTech IT Solutions Threat Advisory: SQL Injection in FortiClient CVE-2023-48788 The Importance of SSL Inspection Navigating Compliance Frameworks: Common Challenges and Effective Solutions Making the most of SASE Web Filtering Iran & Middle-East Geopolitical Shifts: Emerging Cyber Risks for SMBs MSP Security KPIs That Matter: Beyond Vanity Metrics to Business Outcomes MSP Challenges Looking into 2025 Combining EDR and NGAV for Defense-in-Depth Starting Your Security Framework Journey: A Practical Implementation Guide Cyber Insurance vs. Warranties: Key Risk Management Elements Akira Ransomware: A Persistent Threat to MSP Operations Transforming Cyber Insurance for MSPs and Their Clients Two Truths, Double Whammy: Why Vulnerability Remediation Needs a Rethink Using LAN ZeroTrust for segmentation The role of SIEM in incident response Partner Spotlight: 917 Solutions Threat Advisory: Business Email Compromise Campaign using OVPN for Obfuscation Beyond Implementation: Creating an Ongoing Security Framework Program ClickFix: Fake Captcha Leads to Real Damage Streamlining Security and Compliance Information Gathering with Assessments EpiBrowser: A Sophisticated PUP Masquerading as Chromium Partner Spotlight: AnchorSix Tips to Help MSPs Set Goals for the New Year How SIEM helps detect insider threats Massive Wave of Network Security Vulnerabilities Demands Immediate Action Use cases of SASE: Software-defined perimeter Threat Advisory: LightPerlGirl Malware Why MSPs Must Prioritize CIS Critical Security Controls v8.1 for Client Success
FortiJump: The FortiManager Zero-Day Vulnerability Explained
David Langlands · 2026-01-09 · via Todyl Blog

What happened

On October 23rd, 2024, a zero-day vulnerability in Fortinet’s FortiManager, dubbed "FortiJump," was disclosed as being exploited in the wild. Assigned CVE-2024-47575, the vulnerability allows attackers to execute code remotely on FortiManager devices without authentication.

Why it matters

The root cause lies in the fgfmd daemon, a crucial component of the FortiGate to FortiManager (FGFM) protocol, responsible for communication between FortiGate firewalls and the centralized FortiManager. Exploiting this flaw enables attackers to exfiltrate sensitive configuration data from managed FortiGate devices, including IP addresses, hashed passwords, and detailed network settings. This stolen information could be used to compromise the FortiGate firewalls directly, alter configurations, and pivot to other systems within the network.

Who’s involved

Security researchers at Google/Mandiant investigated the exploitation with Fortinet, identifying a new threat cluster, UNC5820, as the perpetrator. Their analysis revealed that UNC5820 exploited this vulnerability as early as June 2024. Although Fortinet released an advisory and patches for affected versions, concerns remain about the delayed public disclosure and the availability of patches for all vulnerable versions.

Todyl’s response

Upon disclosure on October 23rd, Todyl deployed proactive measures to detect and respond to the FortiJump vulnerability:

  • New detections: We developed and released specific detections to identify exploit attempts targeting FortiManager devices, leveraging insights from the referenced research and known indicators of compromise (IoCs). These detections have been integrated into our security monitoring systems.
  • Targeted threat hunts: We have initiated threat hunting operations across our network and customer environments to search for any evidence of compromise related to FortiJump. These hunts involved analyzing network traffic, logs, and system configurations for suspicious patterns and IoCs.  While we uncovered evidence of attempted compromise related to this CVE, we observed no successful attempts.

Söze similarities

We leveraged our active research on the Söze Syndicate threat group to analyze the TTPs with this new vulnerability.  Some IoCs listed in Fortinet's report matched those discovered in Todyl's investigation of the Söze Syndicate. As a part of our efforts, we have identified many additional IoCs related to this campaign. Todyl is continually monitoring and collaborating with our partners to further identify additional indicators that may be useful in this or other investigations.  

These findings helped Todyl deliver:

  • Faster detection and response: We rapidly identify and react to potential threats related to FortiJump due to our prior awareness of the malicious infrastructure. This expedited response significantly minimized potential damage.
  • Improved threat intelligence: This incident enhanced our understanding of UNC5820 with valuable data, showing how their TTPs differ from those observed from Söze. By analyzing the connections between these seemingly separate actors, we can refine our defenses against future attacks.

What to do / Countermeasures

Organizations using FortiManager should take immediate steps to mitigate their risk as recommended by Fortinet:

Immediate actions

  • Upgrade: Implement the latest patched version of FortiManager as soon as possible.
  • Limit access: Restrict access to the FortiManager admin portal to authorized internal IP addresses only.
  • Whitelist FortiGates: Configure local-in policies to permit only known and trusted FortiGate devices to communicate with FortiManager on port 541.
  • Deny unknown devices: Enable the fgfm-deny-unknown setting to prevent registration of unknown FortiGate devices. This setting is available in FortiManager versions 7.0.12 or above, 7.2.5 or above, and 7.4.3 or above (excluding 7.6.0).

Additional recommendations

  • Use a custom certificate: Consider implementing a custom certificate for FGFM communication to enhance security. Install this certificate on authorized FortiGate devices to prevent unauthorized connections.
  • Monitor logs: Actively monitor FortiManager logs for suspicious activities, particularly events related to device registration and modifications.
  • Change credentials: Change all credentials, including passwords and user-sensitive data, on managed FortiGate devices to mitigate the risk of compromise.

Wrap-up

While immediate steps have been taken to address FortiJump, ongoing vigilance is paramount. We remain committed to:

  • Continuous monitoring for new developments and emerging threats targeting FortiManager and FortiGate devices, including tracking new attack techniques, IOCs, and threat actor activity.
  • Collaboration with law enforcement and ISPs to share threat intelligence and identify other suspicious activities to disrupt malicious infrastructure and prevent further exploitation.
  • Ongoing enhancement of our and our partners’ security posture, implementing robust controls, conducting vulnerability assessments, and fostering a security-aware culture.

We urge all organizations to patch vulnerable systems, implement the recommended mitigations, and maintain heightened awareness to protect against this and future threats.

About David Langlands

Along a 25+ year journey in cybersecurity, David has amassed not just an impressive collection of retro conference badges, but a wealth of experience in leading well-known organizations through prevention, detection, containment, and recovery from significant cyber incidents.

David has been a part of some pretty remarkable teams: from contributing to the team that first brought the web browser into existence to rolling out the first firewalls at AT&T Bell Laboratories. After recent leadership roles at IBM Security and DXC Technology, David is excited to have joined the amazing team at Todyl to fulfill the mission of protecting the businesses we serve from advanced threats.

Security Readiness Checkup

Analyze your operational readiness and get instant assessment-driven insights to strengthen your security posture.

Stay on the Cutting Edge of Security

Subscribe to our newsletter to get our latest insights.