Summary:
A new vulnerability in Fortinet's FortiManager, known as "FortiJump" and tracked as CVE-2024-47575, has been actively exploited in zero-day attacks since June 2024. The flaw has affected over 50 servers and was first revealed in a report by Mandiant. The exploitation of this vulnerability had been rumored online after Fortinet issued a private notification to customers about the potential security risk and today, the company confirmed the details.

The vulnerability stems from a missing authentication mechanism in the FortiGate to FortiManager Protocol (FGFM) API, allowing attackers to execute unauthorized commands on FortiManager servers and the FortiGate devices they manage. The flaw enables threat actors to register attacker-controlled FortiManager and FortiGate devices with valid certificates to exposed FortiManager servers. Once registered, even in an unauthorized state, these devices can exploit the vulnerability to execute API commands, giving attackers access to configuration data, including detailed settings of the managed appliances and FortiOS256-hashed passwords of users. Fortinet has responded by releasing patches to fix the CVE-2024-47575 vulnerability. Additionally, the company provided mitigation strategies, such as allowing only specific IP addresses to connect and blocking unknown devices from registering using the command set fgfm-deny-unknown enable.

According to Mandiant, a threat actor tracked as UNC5820 has been exploiting this vulnerability since June 27, 2024. In these attacks, UNC5820 exfiltrated configuration data from FortiGate devices managed by the compromised FortiManager systems, which included sensitive details like appliance configurations, user data, and FortiOS256-hashed passwords. This stolen data could potentially be used to compromise FortiManager devices further, allowing UNC5820 to move laterally to the connected FortiGate devices and target broader enterprise environments. The first attack observed by Mandiant originated from the IP address 45.32.41[.]202, where the threat actor registered an unauthorized FortiManager-VM to an exposed FortiManager server.

Security Officer Comments:
Mandiant analyzed the compromised device's memory and found no evidence of malicious payloads or system tampering. While the attackers did exfiltrate data, Mandiant noted that there have been no signs of UNC5820 using this data to spread laterally to other FortiGate devices or breach networks. The attackers' ultimate goal and location remain unclear, as there has been no follow-up activity since the initial attacks.

Suggested Corrections:

IOCs:
https://cloud.google.com/blog/topic...ro-day-exploitation-cve-2024-47575?e=48754805

Available 7.2.5, 7.0.12, 7.4.3, and later (not functional workaround on 7.6.0).

1. Limit access to FortiManager admin portal for only approved internal IP addresses.
2. Only allow permitted FortiGate addresses to communicate with FortiManager.
3. Deny unknown FortiGate devices from being associated with FortiManager.

Link(s):
https://www.bleepingcomputer.com/ne...timanager-flaw-has-been-exploited-since-june/


https://cloud.google.com/blog/topic...ro-day-exploitation-cve-2024-47575?e=48754805