Fortinet

High-severity FortiManager bug being exploited by hackers

Updated Oct. 24 at 11:30am EST with additional details from Mandiant.

The cybersecurity company Fortinet has publicly disclosed a vulnerability being exploited by hackers that affects a key tool allowing companies to manage multiple products in a single pane. 

Fortinet had been privately warning customers about the vulnerability — which affects FortiManager and is tagged as CVE-2024-47575 — since October 13 but began to face pressure to release details publicly after users began to speak out on Reddit and other social media sites with their concerns

The security giant released a public advisory about it on Wednesday, confirming exploitation reports and warning that several versions of FortiManager, as well as FortiManager Cloud, are affected. A patch has been released and the company has listed several workarounds users can deploy. 

“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” Fortinet explained. 

“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”

The bug carries a critical severity score of 9.8 and allows hackers to steal troves of sensitive information that would facilitate further access. 

Cybersecurity firm Mandiant on Wednesday night said  it worked with Fortinet to investigate more than 50 potentially compromised FortiManager devices across “various industries” throughout the month of October. 

“Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024. UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager,” Mandiant explained in an advisory

“This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.”

After the initial exploitation attempt in June, they saw a second attempt on September 23. Google Cloud notified customers who had been affected.

The company added that there is “no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment.”

Mandiant is unable to identify where the threat actor is located or what their motivation is. The advisory warns that any organization with FortiManager exposed to the internet should conduct a forensic investigation immediately.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the bug’s exploitation in an advisory on Wednesday, giving federal civilian agencies until November 13 to patch the issue. 

CISA said it is not clear whether ransomware gangs are exploiting the bug but cybersecurity expert Kevin Beaumont, who has been warning about it since October 13, said it is being used by nation-state attackers

Beaumont dubbed the bug ‘FortiJump’ and said on Tuesday that nearly 60,000 FortiManager instances are exposed on the internet, with more than 13,200 in the U.S

He noted that a threat actor exploiting the bug has been using another Fortinet vulnerability from February — CVE-2024–23113 — as an entry point before exploiting CVE-2024-47575 for wider access. CISA warned federal civilian agencies two weeks ago that the earlier bug was being exploited and gave them until October 30 to patch. 

“From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations,” Beaumont said in a blog. “Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream.”

Fortinet customers who spoke to Ars Technica and BleepingComputer expressed frustration with the company’s decision to wait weeks before publicly disclosing the bug, with several taking to Reddit to complain about being unaware of the issue.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.