A zero-day vulnerability in Fortinet’s FortiManager has recently come under attack, with Mandiant researchers uncovering exploitation activity dating back to at least late June. The vulnerability, known as CVE-2024-47575, was brought to light in a blog post published by Mandiant on Wednesday, revealing a missing authentication flaw in the FortiManager product management tool.
Collaborating with Fortinet, Mandiant researchers delved into the exploitation of CVE-2024-47575, shedding light on the mass exploitation of the vulnerability across more than 50 compromised devices spanning various industries. The cybersecurity company, owned by Google Cloud, identified a threat cluster dubbed UNC5820 that has been actively exploiting the FortiManager flaw since June 27, 2024. UNC5820 has been targeting FortiGate devices managed by the compromised FortiManager, extracting detailed configuration information and FortiOS256-hashed passwords in the process.
The potential repercussions of this vulnerability are grave, as attackers could potentially leverage the stolen data to compromise additional Fortinet devices managed by FortiManager and gain access to victims’ networks. Despite the severity of the situation, there is no conclusive evidence suggesting that threat actors have utilized the configuration data for lateral movement, leaving researchers unable to pinpoint the motives or location of the attackers.
Mandiant’s investigation revealed multiple exploitation attempts, with the earliest observed on June 27, where an IP address connected to multiple FortiManager devices via TCP port 541. During a subsequent exploitation event on September 23, the threat actor’s device was successfully registered to the targeted FortiManager instance, granting unauthorized access to the system. The clandestine addition of a device serial number and IP address to FortiManager consoles served as a telltale sign of successful exploitation.
To mitigate the risk posed by this zero-day vulnerability, Mandiant issued several recommendations to Fortinet customers, including restricting access to the FortiManager administrator portal to approved internal IP addresses, reconfiguring FortiManager communications to only allow connections from authorized FortiGate devices, and blocking unidentified FortiGate devices from linking with FortiManager.
In a bid to proactively address the issue, Fortinet had informed customers about CVE-2024-47575 prior to its public disclosure and collaborated with Mandiant to bolster security measures. By preemptively notifying customers and providing guidance on strengthening security postures, Fortinet aimed to minimize the potential impact of the vulnerability.
As the cybersecurity landscape continues to evolve, swift detection and response to vulnerabilities like CVE-2024-47575 are crucial to safeguarding sensitive data and networks from malicious actors. The collaborative efforts between security researchers, vendors, and customers play a pivotal role in minimizing the impact of zero-day vulnerabilities and fortifying defenses against evolving cyber threats.