I. Targeted Entities

  • Fortinet FortiManager Customer
  • Managed Service Providers

II. Introduction

A critical vulnerability has been identified in Fortinet’s FortiManager platform, a centralized management solution for Fortinet security products. This vulnerability, tracked as CVE-2024-47575, allows for remote code execution (RCE) by unauthorized attackers. The exploitation of this vulnerability is currently active in the wild, posing a significant threat to affected organizations. If successfully exploited, attackers could gain access to critical systems, install malicious programs, and manipulate sensitive data. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories urging organizations to take immediate action by applying the latest patches to mitigate risks.

FortiManager is widely deployed across sectors, including government, telecommunications, financial services, and healthcare, making this vulnerability particularly concerning. Given the increasing sophistication of cyberattacks, unpatched systems present a high risk, allowing attackers to potentially escalate privileges and compromise network infrastructures.

III. Additional Background Information

In October 2024, a critical vulnerability was discovered in Fortinet’s FortiManager, a network management solution widely used to centrally configure and monitor Fortinet devices. This vulnerability, tracked as CVE-2024-47575, exploits a missing authentication mechanism in the fgfmd daemon, allowing attackers to execute arbitrary code remotely without valid credentials. Fortinet and CISA have confirmed that malicious actors are actively targeting both on-premises and cloud-based instances of FortiManager through specially crafted requests, leveraging this flaw to compromise network environments.

The exploit is aligned with tactics defined in the MITRE ATT&CK framework, specifically T1190 – Exploit Public-Facing Application, indicating that adversaries are using exposed FortiManager instances as initial access points. Once inside, attackers can install backdoors, modify security configurations, and delete or manipulate data, depending on the privileges of the compromised service accounts. Higher-privileged accounts can allow attackers to escalate their control leading to significant disruptions.

Previous incidents involving vulnerabilities in network appliances highlight the severity of such attacks. FortiManager’s broad adoption across multiple critical infrastructures and industries make it an attractive target. Unpatched instances are especially vulnerable to this exploit. Additionally, this vulnerability exposes connected Fortinet devices, allowing attackers to disable firewalls or VPNs and undermine network defenses.

Organizations are strongly advised to apply the latest patches immediately, perform vulnerability assessments, and monitor for indicators of compromise (IoC). Fortinet has released mitigation guidelines, emphasizing the importance of updating software, segmenting networks, and limiting administrative access to prevent further exploitation. Failure to act could result in severe operational disruptions and data breaches, particularly for critical infrastructure providers and enterprises that rely heavily on Fortinet’s security infrastructure.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    Attackers exploit the public-facing FortiManager application via a missing authentication flaw. This vulnerability allows unauthorized attackers to execute arbitrary code on FortiManager by sending specially crafted requests, gaining initial access to the system and enabling control over FortiGate devices connected to the network.
  • T1078 – Valid Accounts
    The threat actors leverage valid certificates on unauthorized FortiManager and FortiGate devices, allowing them to register these devices on exposed FortiManager instances. By mimicking legitimate access, the attackers avoid raising immediate security alerts and maintain a low profile for further exploitation and lateral movement within the network.
  • T1036 – Masquerading
    Attackers register rogue FortiManager devices under misleading names (e.g., “localhost”) and legitimate-seeming serial numbers (e.g., FMG-VMTM23017412). This technique helps obscure threat actor activity within FortiManager logs and console, allowing the attacker’s device to appear as if it is part of the legitimate infrastructure.
  • T1041 – Exfiltration Over C2 Channel
    Exfiltration of FortiManager and FortiGate configuration files occurs over encrypted Command and Control (C2) channels, leveraging HTTPS to avoid detection by security tools. The threat actor UNC5820 has been observed using specific IP addresses to exfiltrate compressed files containing sensitive configuration information, user credentials, and device data.
  • T1587.003 – Develop Capabilities: Digital Certificates
    Attackers leverage valid digital certificates on FortiManager and FortiGate devices to masquerade malicious activities as legitimate. With these certificates, unauthorized devices can connect to FortiManager, bypassing certain security configurations and enabling persistent access to compromised networks.
  • T1562.001 – Impair Defenses: Disable or Modify Tools
    Attackers modify FortiManager configuration to evade detection. By using commands such as fgfm-deny-unknown, attackers can prevent detection of unauthorized devices. This adjustment allows attackers to sustain their unauthorized access, mitigating the chances of detection during ongoing operations.
  • T1027 – Obfuscated Files or Information
    Attackers use gzip compression on the /tmp/.tm archive, which stores exfiltrated configuration data, to obfuscate and minimize visibility of extracted data. This technique reduces the file’s detection footprint, making it harder to identify during data exfiltration stages.
  • T1040 – Network Sniffing
    While not directly observed in this incident, the configuration data exfiltrated includes sensitive details like IPs and credentials. This could indicate an intention to use network sniffing techniques or other credential-monitoring tactics to further penetrate or maintain persistence in the target network.

V. Immediate Recommendations

  • Install Security Updates:
    • Fortinet has solved CVE-2024-47575 with fixes. To address the found security flaw and reduce the risk of active exploitation, organizations should give top priority to installing these updates on all FortiManager instances, including on-premises and cloud-based.
  • Monitor for Compromise Indicators (IoCs):
    • Check network traffic and system logs often for known IoCs linked to this attack, such as file paths, flagged IP addresses, MD5 hash values, and log entries that might point to exploitation (see to the IoCs section for references). To improve detection capabilities, incorporate these IoCs into your SIEM or IDS/IPS.
  • Establish an Incident Response Plan:
    • Create or revise an incident response plan that includes steps for handling FortiManager vulnerability exploitation. Make sure your reaction team is equipped and trained to deal with any possible Fortinet system breaches.
  • Isolate Compromised Systems:
    • Isolate compromised systems right away to stop additional access or harm if any indications of compromise are found. Notify the affected parties and carry out a comprehensive investigation, eliminating any malware or backdoors.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP

45.32.41[.]202 
IP

195.85.114[.]78 
IP

104.238.141[.]143 
IP 158.247.199[.]37 
IP 45.32.63[.]2 
File /tmp/.tm 
File /var/tmp/.tm 
MD5 Hash of unreg_devices.txt  9DCFAB171580B52DEAE8703157012674 
Email address 0qsc137p[@]justdefinition.com 
Log Entry type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…“,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManagersession_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded” 
Log Entry type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=”“,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  msg=”Unregistered device localhost add succeeded” 
String revealing exploitation activity in /log/locallog/elog  changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  changes=”Added unregistered device to unregistered table. 

VII. References

The Channel CO, CRM (October 24, 2024) 5 Things To Know On The Fortinet FortiManager Attacks  https://www.crn.com/news/security/2024/5-things-to-know-on-the-fortinet-fortimanager-attacks
 

Bleeping Computer (October 23, 2024) Fortinet warns of new critical FortiManager flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/ 

Google Cloud (October 23, 2024) Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 

 New York State (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://its.ny.gov/2024-120 

 Bleeping Computer (October 24, 2024) Mandiant says new Fortinet flaw has been exploited since June https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/ 

 CVE (October 23, 2024) CVE-2024-47575 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2024-47575 

 Fortigaurd (October 17, 2024) Missing authentication in fgfmsd https://www.fortiguard.com/psirt/FG-IR-24-423 

 MS-ISAC (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://learn.cisecurity.org/webmail/799323/2307481671/eb748002d95238b2d31f1dc45b527f271478b2fb5b4d5ee93eb20f05d2825fce

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker.