Fortinet FortiManager Flaw ‘FortiJump’ Exploited in Zero-Day Attacks

October 24, 2024

A recently disclosed vulnerability in Fortinet's FortiManager, known as 'FortiJump' and identified as CVE-2024-47575, has been exploited in zero-day attacks since June 2024, impacting over 50 servers. This is according to a report by cybersecurity firm Mandiant. The flaw, which has a CVSS v4 score of 9.8, is a missing authentication issue that allows an attacker to execute arbitrary code or commands through specially crafted requests.

Fortinet has confirmed that the vulnerability has been exploited in the wild, with evidence showing the exfiltration of various files from the FortiManager containing IPs, credentials, and configurations of the managed devices. This information was automated via a script. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has subsequently added FortiJump to its Known Exploited Vulnerabilities (KEV) catalog.

Mandiant has assisted Fortinet in investigating these attacks against FortiManager appliances. In its report, Mandiant revealed that it has observed mass exploitation of FortiManager appliances across more than 50 devices in various industries. The vulnerability allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.

Threat actors can exploit this vulnerability to register malicious FortiManager and FortiGate devices, execute API commands, and steal configuration data. Mandiant identified a new threat cluster, UNC5820, that has been exploiting the FortiManager vulnerability since at least June 27, 2024. UNC5820 has compromised FortiGate devices and exfiltrated the configuration data, including the list of users and their FortiOS256-hashed passwords. This data could be used to further compromise FortiManager, execute lateral movements, and establish a foothold in the target's infrastructure.

Despite this, Mandiant's current data sources have not recorded the specific requests that the threat actor used to leverage the FortiManager vulnerability. At this stage, there is no evidence that UNC5820 used the obtained configuration data to move laterally and further compromise the environment. As a result, the motivation or location of the actor remains unclear.

In response to these attacks, Google Cloud has alerted impacted customers and implemented detection measures for future Fortinet exploit attempts. Meanwhile, Mandiant encourages organizations that may have their FortiManager exposed to the internet to conduct a forensic investigation. To mitigate the risks associated with the exploitation of this FortiManager vulnerability, several strategies can be implemented, including restricting access to the FortiManager admin portal to approved internal IP addresses only and ensuring that only authorized FortiGate devices are permitted to communicate with FortiManager.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.