Investigating Mass Exploitation of Fortinet 0-Day Vulnerability That Allows to Gain Root Access

In a joint cybersecurity effort, Mandiant and Fortinet have uncovered a significant vulnerability affecting FortiManager devices tracked as CVE-2024-47575 (FG-IR-24-423), could allow threat actors to wildly exploit FortiManager appliances and execute unauthorized commands or gain access to sensitive enterprise environments.

Details of the Exploitation

Mandiant’s investigation revealed a threat cluster, tagged UNC5820, actively exploiting the vulnerability as early as June 27, 2024.

The attackers used compromised FortiManager devices to access and exfiltrate configuration data from managed FortiGate appliances. This data included detailed system configurations, user metadata, and FortiOS256-hashed passwords.

Threat actor’s device added to Global Objects database

The information could enable attackers to compromise additional Fortinet devices, potentially escalating their access within enterprise networks.

The investigation discovered two key exploitation instances:

  1. On June 27, 2024, threat actors used inbound connections from IP address 45[.]32[.]41[.]202, triggering unauthorized file creation.
  2. On September 23, 2024, another inbound connection combined with outbound network traffic suggested further attempts to exfiltrate sensitive configuration files.

Despite the observed activity, there was no immediate evidence that the configuration data was used for lateral movement or deeper compromises. Mandiant emphasized that actor motivations and geographic origins remain unknown.

Technical Indicators and Findings

The vulnerability allowed attackers to upload a Gzip-compressed archive named /tmp/.tm containing critical Fortinet configuration data, pertinent logs, and device settings. Subsequent outbound traffic transmitted these files to attacker-controlled servers.

Among the indicators of compromise (IOC) identified:

  • Unauthorized devices listed in the FortiManager console.
  • Suspicious entries, such as rogue serial numbers and disposable email accounts, found in Fortinet system files.
  • Specific timestamps and network activity aligned with exploitation attempts (e.g., outbound traffic with packet sizes matching staged data).

Mandiant also observed artifacts from a “tunnel up” event, signaling potential command-and-control (C2) activity.

Fortinet and Mandiant have taken swift measures:

  • Google Cloud Threat Intelligence contacted affected customers, performed retroactive threat hunting, and developed detection rules to flag exploit attempts.
  • Fortinet’s Advisory provided early warnings and urged clients to implement preventative measures, such as restricting access to FortiManager portals and denying unauthorized FortiGate devices.

Mitigation Strategies

To mitigate the risk of exploitation, organizations are advised to:

  1. Restrict Access: Limit FortiManager admin portal access to approved IP addresses.
  2. Deny Unknown Devices: Block unauthorized FortiGate devices from associating with FortiManager.
  3. Update Software: Ensure the use of patched versions (7.2.5, 7.0.12, 7.4.3, or later).
  4. Monitor Logs: Look for anomalies like “Add device” or “Unregistered device” activity.

For identifying potential exploitation attempts, Mandiant released detection rules, including:

  • Suspicious FortiManager Inbound and Outbound Connections.
  • UNC5820 Exploitation Indicators, targeting HTTPS and non-HTTPS C2 activity.

Organizations utilizing FortiManager appliances should also examine FortiGuard logs for malicious device IDs and baseline unusual operations to flag suspicious intrusions.

Mandiant confirmed it will continue to update its findings as more details emerge. Companies using vulnerable FortiManager devices are urged to conduct immediate forensic investigations and bolster their cybersecurity defenses to prevent further exploitation.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Indicators of Compromise

Network-Based IOCs

IOCDescription
45.32.41.202UNC5820
104.238.141.143UNC5820
158.247.199.37UNC5820
195.85.114.78UNC5820

Host-Based IOCs

IOCDescription
.tmArchive of config files
9DCFAB171580B52DEAE8703157012674MD5 hash of unreg_devices.txt
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Co-Founder & Editor-in-Chief - Cyber Press Inc.,

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here