Cybersecurity Alert - Vulnerabilities in FortiManager

Vulnerabilities in FortiManager

Impact: All Firms Using Fortinet’s FortiManager

Firms should review this information with any vendors who provide information technology services to the firm.

Companies that use Fortinet’s FortiManager product could be exposed to a remote, unauthenticated attacker executing arbitrary code or commands due to a critical product vulnerability (CVE-2024-47575), according to two recent alerts from the Cybersecurity & Infrastructure Security Agency (CISA):

Fortinet’s Product Security Incident Response Team (PSIRT) also published an Advisory regarding this vulnerability with details regarding the vulnerable versions of FortiManager, available updates, workarounds, and possible indicators of compromise. 

There is currently no information indicating that member firms or the financial services industry are specifically being targeted. We have issued this Alert to inform member firms in the event they are exposed to this potential vulnerability, and they can take appropriate mitigation steps.

For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve members of any existing obligations under federal securities laws and regulations. Members may consider the information in this Alert in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on a member’s size and business model.