Pierluigi Paganini October 24, 2024

The “FortiJump” flaw (CVE-2024-47575) has been exploited in zero-day attacks since June 2024, impacting over 50 servers, says Mandiant.

A new report published by Mandiant states that the recently disclosed Fortinet FortiManager flaw “FortiJump” CVE-2024-47575 (CVSS v4 score: 9.8) has been exploited since June 2024 in zero-day attacks on over 50 servers.

The vulnerability is a missing authentication issue in FortiManager and FortiManager Cloud versions, an attacker could execute arbitrary code or commands through specially crafted requests.

“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.” reads the advisory published by Fortinet.

Fortinet confirmed that the vulnerability CVE-2024-47575 has been exploited in the wild

“Reports have shown this vulnerability to be exploited in the wild,” continues the advisory. “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” Fortinet added.

This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added FortiJump to its Known Exploited Vulnerabilities (KEV) catalog.

Mandiant now revealed that it has helped Fortinet in investigating attacks against FortiManager appliances.

“In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries.” reads the report published by Mandiant. “The vulnerability, CVE-2024-47575 / FG-IR-24-423, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.” 

Threat actors could exploit the vulnerability to register malicious FortiManager and FortiGate devices, execute API commands, and steal configuration data.

Mandiant spotted a new threat cluster, tracked as UNC5820, exploiting the FortiManager vulnerability as early as June 27, 2024. UNC5820 compromised FortiGate devices and exfiltrated the configuration data including the list of users and their FortiOS256-hashed passwords.

Threat actors could use the exfiltrated data to further compromise FortiManager, execute lateral movements, and establish a foothold in the target’s infrastructure.

“At this time, the data sources analyzed by Mandiant did not record the specific requests that the threat actor used to leverage the FortiManager vulnerability. Additionally, at this stage of our investigations there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment.” continues the report. “As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog’s attribution assessment.”

Mandiant first observed an exploitation attempt on June 27, 2024, when multiple FortiManager devices received inbound connections from the IP address 45[.]32[.]41[.]202 on the default port TCP/541. The file system of these devices recorded the staging of various Fortinet configuration files in a Gzip-compressed archive named /tmp/.tm.

On September 23, 2024, Mandiant detected a second wave of attacks with similar indicators. In both cases, outbound traffic followed archive creation, with data sent slightly exceeding the archive size.

Mandiant analyzed the rootfs.gz file from the targeted device but found no malicious files linked to the exploitation. Google Cloud alerted impacted customers and implemented detection measures for future Fortinet exploit attempts.

Mandiant has not been able to determine the attackers’ motivation and has yet to attribute the campaign to a known threat actor.

Mandiant urges organizations that may have their FortiManager exposed to the internet to conduct a forensic investigation.

“at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog’s attribution assessment.” concludes Mandiant.

“Organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.”

To mitigate the risks associated with the exploitation of this FortiManager vulnerability, several strategies can be implemented. First, restrict access to the FortiManager admin portal to approved internal IP addresses only. Ensure that only authorized FortiGate devices are permitted to communicate with FortiManager, while blocking any unknown FortiGate devices from connecting. This mitigation is available in FortiManager versions 7.2.5, 7.0.12, 7.4.3, and later. For configuration, the “fgfm-deny-unknown” setting must be enabled using the following command:

config system global
    set fgfm-deny-unknown enable
end

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet FortiManager flaw FortiJump)