Fortinet FortiManager RCE zero-day Flaw Exploited in-the-wild

Fortinet has publicly disclosed a critical zero-day vulnerability in its FortiManager software, identified as CVE-2024-47575. The vulnerability has been actively exploited in the wild.

Due to a missing authentication for a critical function in the FortiManager fgfmd daemon, this vulnerability allows remote unauthenticated attackers to execute arbitrary code or commands through specially crafted requests.

The flaw carries a CVSS v3 score of 9.8, highlighting its severity and potential impact on affected systems.

Reports indicate that the vulnerability has been exploited to automate the exfiltration of sensitive files from FortiManager, including IP addresses, credentials, and managed device configurations.

Mandiant has identified a new threat cluster, UNC5820, exploiting a critical vulnerability in Fortinet’s FortiManager, tracked as CVE-2024-47575.

This vulnerability first observed being exploited on June 27, 2024, allows attackers to exfiltrate sensitive configuration data from FortiGate devices managed by compromised FortiManager systems.

Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here

UNC5820 has been observed staging and exfiltrating configuration data, including detailed information about managed appliances and users’ FortiOS256-hashed passwords.

This data could potentially be used to compromise FortiManager systems further and move laterally across enterprise environments.

Affected Versions and Mitigation

The vulnerability affects multiple versions of FortiManager and FortiManager Cloud:

• FortiManager: Versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, and 6.4.0 through 6.4.14.
• FortiManager Cloud: Versions 7.4.1 through 7.4.4, 7.2 (all versions), and 7.0 (all versions).

Fortinet has released patches for these versions and urges users to upgrade to secure versions immediately.

Additionally, workarounds are available for certain versions, including preventing unknown devices from registering and using custom certificates for authentication.

Fortinet recommends taking immediate action to secure affected systems:

1. Upgrade: Install the latest patches for FortiManager or migrate to a fixed release if using FortiManager Cloud.
2. Review Configurations: Ensure configurations have not been tampered with by comparing them against backups taken before the IoC detection.
3. Change Credentials: Update passwords and user-sensitive data for all managed devices.
4. Isolate Compromised Systems: Keep compromised FortiManager systems isolated from the internet and configure them in offline mode for comparison with new setups.

This zero-day vulnerability underscores the importance of timely patching and vigilant monitoring of network management tools like FortiManager, which are critical components in many organizational IT infrastructures.

Organizations using FortiManager should act swiftly to mitigate the risks associated with this flaw and ensure their networks remain secure against potential exploits.

Indicators of Compromise

Fortinet has provided several indicators of compromise (IoCs) to help organizations detect if their FortiManager systems have been breached:

• Log entries showing unregistered devices being added.
• Specific IP addresses associated with malicious activity: 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2.
• Files located in /tmp/.tm and /var/tmp/.tm directories.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here