In a joint cybersecurity effort, Mandiant and Fortinet have uncovered a significant vulnerability affecting FortiManager devices tracked as CVE-2024-47575 (FG-IR-24-423), could allow threat actors to wildly exploit FortiManager appliances and execute unauthorized commands or gain access to sensitive enterprise environments.
Details of the Exploitation
Mandiant’s investigation revealed a threat cluster, tagged UNC5820, actively exploiting the vulnerability as early as June 27, 2024.
The attackers used compromised FortiManager devices to access and exfiltrate configuration data from managed FortiGate appliances. This data included detailed system configurations, user metadata, and FortiOS256-hashed passwords.
The information could enable attackers to compromise additional Fortinet devices, potentially escalating their access within enterprise networks.
The investigation discovered two key exploitation instances:
- On June 27, 2024, threat actors used inbound connections from IP address 45[.]32[.]41[.]202, triggering unauthorized file creation.
- On September 23, 2024, another inbound connection combined with outbound network traffic suggested further attempts to exfiltrate sensitive configuration files.
Despite the observed activity, there was no immediate evidence that the configuration data was used for lateral movement or deeper compromises. Mandiant emphasized that actor motivations and geographic origins remain unknown.
Technical Indicators and Findings
The vulnerability allowed attackers to upload a Gzip-compressed archive named /tmp/.tm containing critical Fortinet configuration data, pertinent logs, and device settings. Subsequent outbound traffic transmitted these files to attacker-controlled servers.
Among the indicators of compromise (IOC) identified:
- Unauthorized devices listed in the FortiManager console.
- Suspicious entries, such as rogue serial numbers and disposable email accounts, found in Fortinet system files.
- Specific timestamps and network activity aligned with exploitation attempts (e.g., outbound traffic with packet sizes matching staged data).
Mandiant also observed artifacts from a “tunnel up” event, signaling potential command-and-control (C2) activity.
Fortinet and Mandiant have taken swift measures:
- Google Cloud Threat Intelligence contacted affected customers, performed retroactive threat hunting, and developed detection rules to flag exploit attempts.
- Fortinet’s Advisory provided early warnings and urged clients to implement preventative measures, such as restricting access to FortiManager portals and denying unauthorized FortiGate devices.
Mitigation Strategies
To mitigate the risk of exploitation, organizations are advised to:
- Restrict Access: Limit FortiManager admin portal access to approved IP addresses.
- Deny Unknown Devices: Block unauthorized FortiGate devices from associating with FortiManager.
- Update Software: Ensure the use of patched versions (7.2.5, 7.0.12, 7.4.3, or later).
- Monitor Logs: Look for anomalies like “Add device” or “Unregistered device” activity.
For identifying potential exploitation attempts, Mandiant released detection rules, including:
- Suspicious FortiManager Inbound and Outbound Connections.
- UNC5820 Exploitation Indicators, targeting HTTPS and non-HTTPS C2 activity.
Organizations utilizing FortiManager appliances should also examine FortiGuard logs for malicious device IDs and baseline unusual operations to flag suspicious intrusions.
Mandiant confirmed it will continue to update its findings as more details emerge. Companies using vulnerable FortiManager devices are urged to conduct immediate forensic investigations and bolster their cybersecurity defenses to prevent further exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Indicators of Compromise
Network-Based IOCs
| IOC | Description |
| 45.32.41.202 | UNC5820 |
| 104.238.141.143 | UNC5820 |
| 158.247.199.37 | UNC5820 |
| 195.85.114.78 | UNC5820 |
Host-Based IOCs
| IOC | Description |
| .tm | Archive of config files |
| 9DCFAB171580B52DEAE8703157012674 | MD5 hash of unreg_devices.txt |
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Node.js systeminformation Vulnerability Let Attackers Execute Remote Code")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "15 million Fine Imposed by Italt to Open AI For Violating GDPR")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Discord Database allegedly Leaked by Threat Actors")
,%20could%20allow%20threat%20actors%20to%20wildly%20exploit%20FortiManager%20appliances%20and%20execute%20unauthorized%20commands%20or%20gain%20access%20to%20sensitive%20enterprise%20environments.){kind=link}