The cybersecurity company Fortinet has publicly disclosed a vulnerability being exploited by hackers that affects a key tool allowing companies to manage multiple products in a single pane. 

Fortinet had been privately warning customers about the vulnerability — which affects FortiManager and is tagged as CVE-2024-47575 — since October 13 but began to face pressure to release details publicly after users began to speak out on Reddit and other social media sites with their concerns. 

The security giant released a public advisory about it on Wednesday, confirming exploitation reports and warning that several versions of FortiManager, as well as FortiManager Cloud, are affected. A patch has been released and the company has listed several workarounds users can deploy. 

“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” Fortinet explained. 

“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”

The bug carries a critical severity score of 9.8 and allows hackers to steal troves of sensitive information that would facilitate further access. 

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed its exploitation in an advisory on Wednesday, giving federal civilian agencies until November 13 to patch the issue. 

CISA said it is not clear whether ransomware gangs are exploiting the bug but cybersecurity expert Kevin Beaumont, who has been warning about it since October 13, said it is being used by nation-state attackers. 

Beaumont dubbed the bug ‘FortiJump’ and said on Tuesday that nearly 60,000 FortiManager instances are exposed on the internet, with more than 13,200 in the U.S. 

He noted that a threat actor exploiting the bug has been using another Fortinet vulnerability from February — CVE-2024–23113 — as an entry point before exploiting CVE-2024-47575 for wider access. CISA warned federal civilian agencies two weeks ago that the earlier bug was being exploited and gave them until October 30 to patch. 

“From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations,” Beaumont said in a blog. “Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream.”

Fortinet customers who spoke to Ars Technica and BleepingComputer expressed frustration with the company’s decision to wait weeks before publicly disclosing the bug, with several taking to Reddit to complain about being unaware of the issue.