A zero-day vulnerability patched recently by Fortinet has been exploited by threat actors since at least June 2024, according to Google Cloud’s Mandiant.
Reports emerged roughly 10 days ago that Fortinet had started privately notifying customers about a FortiManager vulnerability that could be exploited by remote, unauthenticated attackers for arbitrary code execution.
FortiManager is a product that enables customers to centrally manage their Fortinet devices, particularly FortiGate firewalls.
Researcher Kevin Beaumont, who has been tracking reports of the vulnerability since the issue came to light, noted that Fortinet customers had initially only been provided with mitigations and the company later started releasing patches.
Fortinet publicly disclosed the vulnerability and announced its CVE identifier — CVE-2024-47575 — on Wednesday. The company also informed customers about the availability of patches for each impacted FortiManager version, as well as workarounds and recovery methods.
Fortinet said the vulnerability has been exploited in the wild, but noted, “At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”
Mandiant, which has helped Fortinet investigate the attacks, revealed in a blog post published late on Wednesday that to date it has seen over 50 potential victims of these zero-day attacks. These entities are from various countries and multiple industries.
Mandiant said it currently lacks sufficient data to make an assessment regarding the threat actor’s location or motivation, and tracks the activity as a new threat cluster named UNC5820.
The company has seen evidence suggesting that CVE-2024-47575 has been exploited since at least June 27, 2024.
According to Mandiant’s researchers, the vulnerability allows threat actors to exfiltrate data that “could be used by the threat actor to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.”
Beaumont, who has named the vulnerability FortiJump, believes that the flaw has been exploited by state-sponsored threat actors to conduct espionage through managed service providers (MSPs).
“From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations. Because MSPs […] often use FortiManager, you can use this to enter internal networks downstream,” Beaumont said.
Beaumont, who runs a FortiManager honeypot to observe attack attempts, pointed out that there are tens of thousands of internet-exposed systems, and owners have been slow to patch known vulnerabilities, even ones exploited in the wild.
Indicators of compromise (IoCs) for attacks exploiting CVE-2024-47575 have been made available by both Fortinet and Mandiant.
Related: Organizations Warned of Exploited Fortinet FortiOS Vulnerability
Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks
Related: Fortinet Patches Code Execution Vulnerability in FortiOS
