FortiManager Devices Mass Compromise Exploiting CVE-2024-47575 Vulnerability

Shadowserver has issued a critical warning about the widespread exploitation of Fortinet FortiManager devices using the recently disclosed CVE-2024-47575 vulnerability.

With a CVSS score of 9.8/10, this critical flaw allows unauthenticated remote attackers to execute arbitrary code or commands on affected systems.

The vulnerability, dubbed “FortiJump,” stems from a missing authentication for a critical function in FortiManager’s fgfmd daemon.

Fortinet confirmed that the flaw has been actively exploited in the wild, with attackers primarily focusing on exfiltrating sensitive data from compromised devices.

Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here

Shadowserver’s Special Report categorizes affected devices into two groups: those confirmed as compromised (tagged as “CVE-2024-47575-compromised”) and those targeted but not confirmed as compromised (tagged as “CVE-2024-47575-targeted”).

Unless extensive forensic analysis proves otherwise, the organization strongly recommends treating all targeted devices as potentially compromised.

The report highlights that compromised devices may have multiple IP addresses or could have traversed NAT devices, complicating the identification process.

Shadowserver emphasizes the urgency of changing credentials, including passwords and user-sensitive data, for all managed devices connected to affected FortiManager systems.

Mandiant has attributed the attacks to a threat actor tracked as UNC5820. Their analysis reveals that the exploitation campaign has been ongoing since at least June 27, 2024, targeting over 50 FortiManager appliances across various industries.

The mass compromise underscores the critical nature of the vulnerability and the rapid exploitation by threat actors.

Organizations using FortiManager are strongly advised to immediately apply the patches provided by Fortinet or implement recommended workarounds if patching is not feasible.

Shadowserver’s Special Report aims to notify potential victims about this significant breach, even if the events occurred outside their usual 24-hour reporting window.

The organization believes that sharing this retrospective data will provide substantial benefits to their constituents, enabling them to take necessary actions to secure their systems.

As the situation continues to evolve, cybersecurity experts urge organizations to remain vigilant, monitor for indicators of compromise, and promptly report any suspicious activities related to their FortiManager deployments.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here