Critical Bug Exploited in Fortinet's Management Console

An unknown threat actor has compromised Fortinet devices en masse across various industries, leaving no particular indication of what they plan to do next.

The campaign was enabled by a critical vulnerability, CVE-2024-47575, which the Cybersecurity and Infrastructure Security Agency (CISA) has just added to its Known Exploited Vulnerability (KEV) catalog. It affects Fortinet's FortiManager tool, the single, centralized console from which organizations can manage all their Fortinet brand firewalls, access points, application delivery controllers (ADCs), and email gateways. Up to 100,000 devices can be managed from a single FortiManager interface, making it an efficient tool for IT administration, and a spectacular launchpoint for cyberattacks.

According to Mandiant, a threat actor it now tracks as UNC5820 used CVE-2024-47575 to compromise more than 50 instances of FortiManager. Doing so enabled them to siphon off information about the various devices connected to those FortiManager instances, which could prove useful in follow-on attacks. To this point, however, no malicious follow-on activity has been observed.

A Critical Vulnerability in FortiManager

CVE-2024-47575 results from a missing authentication in the fgfmd daemon, a "critical function" that facilitates communication between FortiManager and the various Fortinet devices it manages. Using specially crafted requests, a remote, unauthenticated attacker could exploit this missing authentication to execute arbitrary code or commands in a targeted device. The centrality of the vulnerable daemon, combined with the severe effect of such an attack, have earned CVE-2024-47575 a "critical" 9.8 out of 10 score according to the Common Vulnerability Scoring System (CVSS).

“These types of exploits are some of the most coveted by attackers as little to no action is required on the part of the victim for the attacker to gain remote access," notes T. Frank Downs, senior director of proactive services at BlueVoyant. "Large-scale exploitation could enable lateral movement to other managed devices, leading to widespread network disruption and data breaches. These actions, in turn, could allow attackers to exfiltrate sensitive data from FortiManager devices, including configurations and credentials."

The unidentified threat actor UNC5820 has already halfway demonstrated what one can do with CVE-2024-47575. Beginning June 27, UNC5820 connected to multiple Fortinet devices from an IP address in Japan. Quickly, a series of important files were zipped into an archive file. These included the targeted FortiManager's build, version, and branch data, configuration files for FortiGate devices it managed, hashed passwords, and more.

Researchers identified another exploitation attempt in September, during which the attacker managed to register their own, unauthorized Fortinet device to the targeted FortiManager console.

In theory, all this data would have been useful for getting to know the target's environment, and laying the groundwork for a mean follow-on attack. "The potential damage from this vulnerability is significant, as it allows attackers to remotely execute code and access sensitive data without authentication, leading to data breaches, network disruptions, and unauthorized access to critical systems," Downs says. And yet, Mandiant has not observed evidence of any such attacks to date.

What to Do Now

To exploit CVE-2024-47575 in the first place, UNC5820 would have required some means to reach an organization's FortiManager device. Thus, only those exposed to the Internet are likely to have been targeted.

For organizations with exposed management consoles, Mandiant recommends immediate, thorough forensic investigations, and only allowing known devices and IPs access to FortiManager. Fortinet's FortiGuard Labs has also published further recommendations for remediation to its blog, including workarounds for cases in which an upgrade to the latest software is not possible.

In response to a request for comment from Dark Reading, Fortinet offered the following statement:

"After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."