UNC5820 Exploits FortiManager Zero-Day Vulnerability (CVE-2024-47575)

Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat actor UNC5820 used the flaw for data theft and unauthorized access.

Fortinet and Google’s Mandiant collaborated in October 2024 to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised devices across various industries due to CVE-2024-47575.

This vulnerability, which allows attackers to execute arbitrary code on compromised FortiManager devices, has been actively exploited by a threat group tracked by Mandiant as UNC5820.

FortiManager is a centralized management solution by Fortinet that enables organizations to manage and configure multiple Fortinet security devices, such as FortiGate firewalls, from a single interface.

According to their blog post, the attack began on June 27, 2024, and continued through September 22, 2024, with further data exfiltration and potential persistence attempts. The threat actor exploited the FortiManager vulnerability, using inbound and outbound connections, file creation, and modification to gain unauthorized access and steal sensitive information.

Their primary objective seems to be stealing configuration data from compromised FortiManager devices. This data included detailed information about managed Fortinet devices, usernames, and FortiOS256-hashed passwords.

Threat actors exploited vulnerable FortiManager devices by connecting to IP address 45.32.41.202 on port 541. They staged configuration files containing critical data about managed devices in a compressed archive named /tmp/.tm.

Shortly after, outbound network traffic was observed, with varying destination IP addresses across incidents. In one case, the threat actor’s device was registered with the compromised FortiManager, suggesting an attempt to establish long-term access.

The report provides a detailed timeline of observed attacker activity, including specific dates, times, and network traffic details. This can help identify potential compromises within your own environment.

Threat actor’s device added to Global Objects database and Unauthorized device listed in FortiManager console (Via Google Mandiant)

Tim Peck, Senior Threat Researcher, Securonix weighed in on the situation, urging companies to install patches.

“The risk posed by CVE-2024-47575 is significant, especially for large enterprises due to its potential for remote code execution. Damages can range from unauthorized access and data theft to critical disruptions,” Tim warned.

“Affected organizations should apply the October 24 patch, review access logs for suspicious activity, and ensure a strong incident response plan. This vulnerability underscores the need for timely patching, network segmentation, and continuous monitoring.”

This attack campaign explains the trend of cybercriminals leveraging zero-day vulnerabilities to gain unauthorized access to sensitive systems. In the past, we have seen similar attacks targeting other critical infrastructure components, such as routers, firewalls, and industrial control systems.

The exploitation of this FortiManager vulnerability is particularly concerning due to the widespread use of FortiGate devices in enterprise environments. These devices are often used to protect critical infrastructure and data, making them a valuable target for attackers.

Potential mitigation measures include limiting access to the FortiManager admin portal to authorized internal IP addresses, limiting communication to only permitted FortiGate devices, and denying registration attempts from unknown devices.

Google Cloud provides detection rules for Google SecOps Enterprise+ customers, and organizations can develop custom SIEM searches based on provided IOCs and monitor FortiManager logs for suspicious activity.

1. CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
2. Hackers Exploiting Critical Flaws in Fortinet VPN – FBI-CISA
3. Hackers dump login Details of Fortinet VPN users in plain-text
4. Hackers leak login credentials of vulnerable Fortinet SSL VPNs
5. Fortinet Confirms Data Breach as Hacker Leaks 440GB of Data