A vulnerability in Fortinet’s network and security management tool, FortiManager, has been under “mass exploitation” for over three months, according to a report from Google’s threat intelligence arm Mandiant.
CVE-2024-47575 is a missing authentication flaw affecting critical functions in FortiManager that would allow an attacker to use an unauthorized, compromised device to execute arbitrary code or commands on other FortiManager devices.
The report states Mandiant observed a new threat cluster tracked as UNC5820 exploiting the vulnerability from as early as 27 June 2024. During the attacks, UNC5820 exfiltrated configuration data of the FortiGate devices managed by the exploited FortiManager instance.
“This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment,” the report states.
Mandiant said it was not able to record the specific requests used by the threat actors to leverage CVE-2024-47575, adding that there was no evidence at the time of writing that UNC5820 has used the stolen configuration data to move laterally to compromise other assets in the environment.
Detailing the earliest observed exploitation attempt in June, Mandiant reported that multiple FortiManager devices received inbound connections from the same IP address.
Simultaneously, the victim’s file system recorded the staging of various Fortinet configuration files in a Gzip archive named ‘/tmp/.tm’.
This archive contained a folder of configuration files for managed FortiGate devices; a database containing additional information of the managed devices; a list of FortiGate serials and their corresponding IP addresses; a global database containing object configurations, policy packages, and header and footer sensor configuration for IPS.
It also contained the current FortiManager version, build, and branch information, Mandiant revealed.
After reviewing the memory of the compromised devices, Mandiant said it did not find any potential malware or signs of further malicious activity.
Mandiant identifies over 50 potential victims
To date, Mandiant reported it had observed over 50 potentially compromised FortiManager devices in various countries across a wide range of industries.
The report stated that Google Cloud notified affected customers whose environments exhibited signs of similar activity.
“Additionally, Google Threat Intelligence ran retrohunts while developing detections for this activity, and manually escalated Pre-Release Detection Rule alerts to affected SecOps customers to assist with detecting exploit attempts of Fortinet devices.”
The vulnerability was only made public on 23 October, but according to the report Fortinet reached out to customers giving them an early warning on their advisory to give them the chance to strengthen their security posture before the details of the flaw went public.
Mandiant published a list of IoCs, mitigation strategies, and workarounds to ensure other organizations can avoid exploitation of CVE-2024-47575.
Firstly, enterprises can limit access to their FortiManager admin portal to only pre approved IP addresses, as well as only allowing permitted FortiGate addresses to communicate with FortiManager.
Organizations can also deny unknown FortiGate Devices from being associated with FortiManager. Security teams should note these workarounds are available for versions 7.2.5, 7.0.12, and 7.4.3, and later, but not functional on 7.6.0.
