‘Critical’ FortiManager Flaw Has Seen Exploitation Since June: Mandiant
The vulnerability—which has been exploited in attacks compromising more than 50 FortiManager devices, according to Mandiant researchers—was disclosed by Fortinet Wednesday.
A critical-severity FortiManager vulnerability publicly disclosed by Fortinet this week has been exploited in attacks dating back to late June, according to Mandiant researchers.
The attacks exploiting the flaw (tracked at CVE-2024-47575) has compromised more than 50 devices to date, the security researchers at Google Cloud-owned Mandiant said in a post.
[Related: Network Security Devices Are The Front Door To An IT Environment, But Are They Under Lock And Key?]
Fortinet disclosed the vulnerability—which can enable remote execution of code by an unauthenticated threat actor—in an advisory Wednesday, stating that “reports have shown this vulnerability to be exploited in the wild.”
However, the cybersecurity vendor had privately warned customers about the FortiManager vulnerability beginning Oct. 13, according to a BleepingComputer report. The existence of the flaw subsequently was also mentioned online prior to Fortinet’s advisory Wednesday, including by researcher Kevin Beaumont, who dubbed the flaw “FortiJump.”
Researchers at Mandiant said they believe the attacks can be traced back at least as far as June. “Mandiant’s earliest observed exploitation attempt occurred on June 27, 2024,” the researchers said in the post.
As of this month, Mandiant has been working with Fortinet “to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries,” the researchers wrote.
Mandiant has attributed the attacks to a group tracked as UNC5820, though “at the time of publishing, we lack sufficient data to assess actor motivation or location,” the researchers wrote.
CRN reached out to Fortinet for comment Thursday.
On Wednesday, Fortinet said in a statement that after the vulnerability was identified, the vendor “promptly communicated critical information and resources to customers.”
This approach was “in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors,” the company said in the statement Wednesday.
Fortinet added that it’s urging customers to “follow the guidance provided to implement the workarounds and fixes.”
The vulnerability has received a rating of “critical,” with a severity score of 9.8 out of 10.0. Fortinet has released fixes for the vulnerability in affected versions of FortiManager and FortiManager Cloud.
The “missing authentication for critical function vulnerability” can allow an attacker to execute code remotely using “specially crafted requests,” Fortinet said in its advisory.
Versions of FortiManager that are impacted by the issue include 6.2, 6.4, 7.0, 7.2, 7.4 and 7.6. The flaw also affects FortiManager Cloud 6.4, 7.0, 7.2 and 7.4, according to Fortinet.