Headline
UNC5820 Exploits FortiManager Zero-Day Vulnerability (CVE-2024-47575)
Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat…
Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat actor UNC5820 used the flaw for data theft and unauthorized access.
Fortinet and Google’s Mandiant collaborated in October 2024 to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised devices across various industries due to CVE-2024-47575.
This vulnerability, which allows attackers to execute arbitrary code on compromised FortiManager devices, has been actively exploited by a threat group tracked by Mandiant as UNC5820.
FortiManager is a centralized management solution by Fortinet that enables organizations to manage and configure multiple Fortinet security devices, such as FortiGate firewalls, from a single interface.
According to their blog post, the attack began on June 27, 2024, and continued through September 22, 2024, with further data exfiltration and potential persistence attempts. The threat actor exploited the FortiManager vulnerability, using inbound and outbound connections, file creation, and modification to gain unauthorized access and steal sensitive information.
Their primary objective seems to be stealing configuration data from compromised FortiManager devices. This data included detailed information about managed Fortinet devices, usernames, and FortiOS256-hashed passwords.
Threat actors exploited vulnerable FortiManager devices by connecting to IP address 45.32.41.202 on port 541. They staged configuration files containing critical data about managed devices in a compressed archive named /tmp/.tm.
Shortly after, outbound network traffic was observed, with varying destination IP addresses across incidents. In one case, the threat actor’s device was registered with the compromised FortiManager, suggesting an attempt to establish long-term access.
The report provides a detailed timeline of observed attacker activity, including specific dates, times, and network traffic details. This can help identify potential compromises within your own environment.
Threat actor’s device added to Global Objects database and Unauthorized device listed in FortiManager console (Via Google Mandiant)
Tim Peck, Senior Threat Researcher, Securonix weighed in on the situation, urging companies to install patches.
“The risk posed by CVE-2024-47575 is significant, especially for large enterprises due to its potential for remote code execution. Damages can range from unauthorized access and data theft to critical disruptions,” Tim warned.
“Affected organizations should apply the October 24 patch, review access logs for suspicious activity, and ensure a strong incident response plan. This vulnerability underscores the need for timely patching, network segmentation, and continuous monitoring.”
This attack campaign explains the trend of cybercriminals leveraging zero-day vulnerabilities to gain unauthorized access to sensitive systems. In the past, we have seen similar attacks targeting other critical infrastructure components, such as routers, firewalls, and industrial control systems.
The exploitation of this FortiManager vulnerability is particularly concerning due to the widespread use of FortiGate devices in enterprise environments. These devices are often used to protect critical infrastructure and data, making them a valuable target for attackers.
Potential mitigation measures include limiting access to the FortiManager admin portal to authorized internal IP addresses, limiting communication to only permitted FortiGate devices, and denying registration attempts from unknown devices.
Google Cloud provides detection rules for Google SecOps Enterprise+ customers, and organizations can develop custom SIEM searches based on provided IOCs and monitor FortiManager logs for suspicious activity.
- CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
- Hackers Exploiting Critical Flaws in Fortinet VPN – FBI-CISA
- Hackers dump login Details of Fortinet VPN users in plain-text
- Hackers leak login credentials of vulnerable Fortinet SSL VPNs
- Fortinet Confirms Data Breach as Hacker Leaks 440GB of Data
Related news
This Metasploit module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12. The vulnerable FortiManager Cloud versions are 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.12, and 6.4 (all versions).
About the Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. 🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via […]
About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. 🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially […]
Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the
An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.
Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild. Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol. "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may