An unknown threat actor has compromised a significant number of Fortinet devices across various industries, raising concerns about the potential next steps of this malicious individual or group.
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical vulnerability, CVE-2024-47575, to its Known Exploited Vulnerability (KEV) catalog. This vulnerability affects Fortinet’s FortiManager tool, which serves as a central console for managing various Fortinet brand firewalls, access points, ADCs, and email gateways. With the ability to manage up to 100,000 devices from a single interface, FortiManager has become an efficient tool for IT administration but has also become a prime target for cyberattacks.
Mandiant has identified the threat actor UNC5820 as the entity responsible for exploiting CVE-2024-47575 to compromise over 50 instances of FortiManager. By gaining access to these instances, the threat actor was able to extract information about the devices connected to them, potentially setting the stage for future attacks. However, as of now, no malicious activities following this breach have been observed.
CVE-2024-47575 is the result of a critical flaw in the fgfmd daemon, a core component facilitating communication between FortiManager and the managed devices. This vulnerability allows remote, unauthenticated attackers to execute arbitrary code or commands on the targeted devices, earning it a high severity score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).
In a recent incident involving UNC5820, the threat actor managed to extract crucial files from multiple Fortinet devices, including configuration data and hashed passwords. Additionally, researchers uncovered an attempt by the threat actor to register an unauthorized Fortinet device on a targeted FortiManager console. While these actions could have laid the groundwork for more aggressive attacks, there is currently no evidence of such activities taking place.
To address the ongoing threat posed by CVE-2024-47575, organizations with exposed FortiManager devices are advised to conduct thorough forensic investigations. Fortinet’s FortiGuard Labs has also issued remediation recommendations, including workarounds for situations where immediate software upgrades are not possible.
In response to inquiries from Dark Reading, Fortinet emphasized its commitment to promptly communicating critical information and resources to customers following the discovery of CVE-2024-47575. The company reiterated its dedication to responsible disclosure practices and urged customers to follow the provided guidance for implementing necessary workarounds and fixes. Fortinet also stated its ongoing collaboration with governmental agencies and industry organizations to address the security implications of this vulnerability.
As the situation unfolds, organizations are urged to remain vigilant and take proactive measures to secure their Fortinet devices against potential exploitation by threat actors like UNC5820. By following the recommended guidance and staying informed of updates, businesses can mitigate the risks posed by vulnerabilities like CVE-2024-47575 in their infrastructure.