FortiManager Vulnerability CVE-2024-47575 Under Active Exploitation by UNC5820 Threat Group

Fortinet has disclosed an actively exploited critical vulnerability, CVE-2024-47575, impacting FortiManager and FortiAnalyzer devices, which has been attributed to threat cluster UNC5820. This flaw, labeled FortiJump, enables remote unauthenticated attackers to execute arbitrary code on compromised systems, allowing for data exfiltration and potential lateral movement across enterprise networks. The U.S. CISA has flagged this vulnerability for immediate federal agency action, urging rapid patching to prevent unauthorized access and data theft.

  • Critical Security Flaw Identified: Fortinet disclosed CVE-2024-47575, dubbed FortiJump, with a CVSS score of 9.8, allowing attackers to execute arbitrary code remotely.
  • Active Exploitation in the Wild: The vulnerability is under active exploitation by UNC5820, a new threat cluster identified by Mandiant, targeting FortiManager for data exfiltration.
  • Exploitation via FortiGate-FortiManager Protocol (FGFM): The vulnerability affects FortiManager and FortiAnalyzer versions 7.x, 6.x, and associated FortiManager Cloud models, especially where the fgfm protocol is enabled.
  • Workarounds and Mitigations: Fortinet provides three workarounds depending on the FortiManager version, including device allow-listing, local-in policies, and custom certificates.
  • Data Exfiltration Through Automated Scripts: Attackers automate exfiltration, focusing on managed devices’ configurations, IPs, and credentials, increasing exposure risks.
  • U.S. CISA Response: CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement fixes by November 13, 2024.
  • Exposed Admin Portals: Approximately 4,081 FortiManager admin portals remain exposed online, with a high concentration in the U.S., highlighting increased vulnerability exposure.
  • Immediate Action Required: Fortinet advises all users to apply patches and monitor for suspicious access to strengthen their security posture against potential unauthorized entry.

The CVE-2024-47575 vulnerability within FortiManager devices is being exploited to exfiltrate sensitive data from enterprise networks, with attacks linked to the UNC5820 group. Fortinet and CISA have urged organizations to apply the latest patch and review system access logs for any signs of suspicious activity. Strengthening cybersecurity defenses with Net Protector’s Endpoint Security Tools can help prevent unauthorized access and bolster defenses against evolving threats.