BREAKINGBy Xavier Rivera· ·1.5 min read
CISA Sets Friday Deadline for Fortinet EMS Patch
CISA orders federal agencies to patch a critical, exploited Fortinet EMS vulnerability by Friday. The move highlights escalating threats to enterprise management servers and sets a patching precedent for all sectors.
Source:BleepingComputer
Federal agencies face a hard deadline: patch their FortiClient Enterprise Management Server instances against an actively exploited vulnerability by this Friday, or risk CISA's wrath. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-47575 — a critical flaw with a CVSS score of 9.6 — to its Known Exploited Vulnerabilities catalog, confirming real-world attacks are underway.
Fortinet disclosed the zero-click vulnerability last month, allowing unauthenticated attackers to execute arbitrary code via crafted API requests. EMS manages FortiClient endpoints across enterprises, making it a prime target for ransomware groups and nation-states. Federal networks, often early victims of such flaws, now serve as a canary for the broader ecosystem.
This directive echoes CISA's playbook from past crises like Log4Shell, where mandatory patching curbed widespread compromise. Fortinet urges all users to apply the patch immediately, but the government's ultimatum amplifies urgency for private sectors reliant on Fortinet's gear — think healthcare, finance, and critical infrastructure.
Exploits target EMS 7.2.4 and earlier, with attackers chaining it to ransomware deployment. Fortinet reports no widespread incidents yet, but CISA's catalog inclusion means threat actors have proof-of-concept code.
Beyond feds, this pressures vendors to accelerate disclosures and patches. Enterprises scanning for EMS exposures should prioritize now, as attackers pivot from federal honeypots to softer targets.
Expect CISA to follow up with compliance audits next week. For the industry, it reinforces that zero-days demand zero tolerance — patch fast, or pay later.
Expert Take: M365 admins, mirror this urgency by enabling auto-patching for Defender endpoints and auditing Fortinet integrations in Azure for EMS 7.2.x exposures to avoid lateral movement risks.
Fortinet disclosed the zero-click vulnerability last month, allowing unauthenticated attackers to execute arbitrary code via crafted API requests. EMS manages FortiClient endpoints across enterprises, making it a prime target for ransomware groups and nation-states. Federal networks, often early victims of such flaws, now serve as a canary for the broader ecosystem.
This directive echoes CISA's playbook from past crises like Log4Shell, where mandatory patching curbed widespread compromise. Fortinet urges all users to apply the patch immediately, but the government's ultimatum amplifies urgency for private sectors reliant on Fortinet's gear — think healthcare, finance, and critical infrastructure.
Exploits target EMS 7.2.4 and earlier, with attackers chaining it to ransomware deployment. Fortinet reports no widespread incidents yet, but CISA's catalog inclusion means threat actors have proof-of-concept code.
Beyond feds, this pressures vendors to accelerate disclosures and patches. Enterprises scanning for EMS exposures should prioritize now, as attackers pivot from federal honeypots to softer targets.
Expect CISA to follow up with compliance audits next week. For the industry, it reinforces that zero-days demand zero tolerance — patch fast, or pay later.
Expert Take: M365 admins, mirror this urgency by enabling auto-patching for Defender endpoints and auditing Fortinet integrations in Azure for EMS 7.2.x exposures to avoid lateral movement risks.
EXPERT TAKE
M365 admins should immediately inventory FortiClient EMS integrations in Entra ID and apply Fortinet's patch to prevent API-based exploits chaining into Microsoft ecosystems.
securityCISAFortinetvulnerability