Mandiant: 'Mass Exploitation' of Fortinet FortiManager Vulnerability

A critical vulnerability in Fortinet’s FortiManager appliances has been exploited in zero day attacks.

FortiManager delivers centralized network security management for Fortinet firewalls, switches, wireless, SD-WAN infrastructure and endpoints from a single console.

According to Mandiant’s threat intelligence blog, it collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across more than 50 potentially compromised FortiManager devices in various industries. The vulnerability allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.

“Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024,” it said. “UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances, as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.”

Related:Active Exploitation Discovered in Cisco IOS XE Software, Devices Vulnerable

Fortinet’s Response to Critical Vulnerability

Fortinet sent us the following statement:

"After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes, and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."

John Bambenek

According to Fortinet’s advisory, reports have shown this critical vulnerability to be exploited in the wild.

John Bambenek, president of Bambenek Consulting, said because of the nature of how ordinate network devices are used, and often on the perimeter of networks, a clever attacker could use this to gain an initial foothold on a Fortinet device inside a corporate firewall, and then engage in lateral movement from there.

Related:Fortinet: Hackers Zero In on Presidential Election

“The attack so far involved stealing information, primarily about internal network devices and credentials to access them,” he said. “This weekend would be a great time for MSPs and network administrators to upgrade these devices and absorb the outage that will be caused from rebooting them.” 

Lateral Movement Into Other Attached Systems Possible

Tim Peck, senior threat researcher at Securonix, said the potential damage includes unauthorized access to managed devices, data theft and disruption of critical network operations.

Securonix's Tim Peck

“They could, in theory, move laterally into other attached systems, further embedding themselves to remain hidden,” he said. “Proactive measures like timely patching, network segmentation and monitoring for unusual activity will help mitigate the overall risk. These measures can also help with hardening against future vulnerabilities. Organizations using FortiManager should immediately apply the patch issued by Fortinet on Oct. 24. Also, as active exploitation could have occurred some time before the vulnerability disclosure, review access logs for suspicious activity, and ensure a robust incident response plan is in place.”

BlueVoyant's T. Frank Downs

T. Frank Downs, senior director of proactive services at BlueVoyant, said these types of exploits are some of the most coveted by attackers as little to no action is required on the part of the victim for the attacker to gain remote access. Potential damage from this critical vulnerability is significant.

“As such, the severity of this type of vulnerability is rather significant and it is understandable why it has such a high common vulnerability scoring system (CVSS) score,” he said. “Large-scale exploitation could enable lateral movement to other managed devices, leading to widespread network disruption and data breaches. These actions, in turn, could allow attackers to exfiltrate sensitive data from FortiManager devices, including configurations and credentials."