Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575)
Fortinet has finally made public information about CVE-2024-47575, a critical FortiManager vulnerability that attackers have exploited as a zero-day.
About CVE-2024-47575
CVE-2024-47575 is a vulnerability stemming from missing authentication for a critical function in FortiManager’s fgfmd daemon. Remote, unauthenticated attackers could exploit the flaw to execute arbitrary code or commands via specially crafted requests.
It affects various versions of FortiManager and FortiManager Cloud, as well as some older FortiAnalyzer models.
“Reports have shown this vulnerability to be exploited in the wild,” Fortinet’s advisory states.
“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices. At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”
The advisory recommends upgrading to fixed versions, outlines possible workarounds, and provides known indicators of compromise (IoCs).
Imperfect disclosure
Roughly ten days ago, Fortinet shared details about the flaw and mitigation advice with a subset of customers. The private notification wasn’t meant to be shared outside of recipients’ organization.
But the vulnerability was already being exploited, and news travels quickly in cybersecurity circles. Respected independent security researcher Kevin Beaumont, who wasn’t among the people who received Fortinet’s notification, started piecing together information and sharing it online.
“The threat actor has been combo’ing the other CISA KEV vuln (from earlier in the year) to enter FortiGate, then used this to enter the managing FortiManager, and then using that to go back downstream – i.e. jumping over zoned networks,” he summed up the in-the-wild attacks.
Caitlin Condon, vulnerability research director at Rapid7, has confirmed that their customers “have also reported receiving communications from service providers indicating the vulnerability may have been exploited in their environments.”
Fortinet told Help Net Security they’ve promptly communicated critical information and resources to customers after identifying the vulnerability.
“This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response.”
UPDATE (October 24, 2024, 11:00 a.m. ET):
“In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries,” Mandiant’s analysts shared on Thursday.
They say that a new threat cluster – tracked as UNC5820 – has been exploiting the FortiManager vulnerability as early as June 27, 2024.
“UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords.”
This data could be used to further compromise the FortiManager, move laterally to the managed Fortinet devices, and target the enterprise environment, they said, but noted that they found no evidence that the threat actors actually used the data to achieve that.
Known IoCs have been included in the report.