A newly discovered vulnerability in FortiManager from networking and security specialist Fortinet has been actively exploited since June of this year. This is according to security specialists at Google subsidiary Mandiant in a recent study.
According to the Mandiant specialists, a new Fortimanager vulnerability, known as ‘FortiJump’ or CVE-2024-47575, has been actively abused since June. The hackers exploiting this vulnerability, which was generally unknown until yesterday, are now believed to be responsible for zero-day attacks on more than fifty servers, security specialists indicate.
Fortinet only recently made the vulnerability public, after rumors of the actively exploited FortiManager vulnerability had already been circulating in recent days. This was in response to a vendor’s ‘advanced notification’ security advisory.
Details CVE-2024-47575
The FortiJump vulnerability involves an authentication flaw in the FortiGate to FortiManager Protocol (FGFM) API. This flaw allows unauthorized hackers to execute commands on the server and managed Fortigate devices.
Hackers can exploit the vulnerability through controlled Fortimanager and FortiGate devices with valid certificates. This allows them to register unseen on any exposed FortiManager server.
When their controlled device is connected to this server, they can exploit the vulnerability to run API commands on FortiManager. That allows for stealing configuration data from the managed devices.
Unpatched for six months
Fortinet has since released patches and troubleshooting for this vulnerability, but that does not change the fact that it was able to remain unseen and cause damage for nearly six months. For example, Mandiant discovered that UNC5820 hackers had been carrying out attacks on Fortinet installations in this manner since June 27 of this year, stealing configuration data.
According to the security specialists, this involved not only detailed configuration data but also user data and their FortiOS256-hashed passwords. This allowed the hackers to perform lateral attacks on other managed Fortinet devices, further penetrating the victims’ IT networks.
Fortinet itself also provides additional indicators of compromise (IOCs) alongside mitigation and remediation methods with patches for vulnerabilities. For example, it provides lists of IP addresses used by attackers and other log information. This allows customers to detect potentially compromised FortiManager servers.