FortiJump: Threat actor exploits zero-day in Fortinet's FortiManager

Cybersecurity researchers are advising that a zero-day vulnerability in Fortinet's FortiManager has been actively exploited by a threat actor known as UNC5820 since June 2024.

The flaw, designated CVE-2024-47575 and since dubbed "FortiJump," enabled UNC5820 to execute arbitrary commands on FortiManager servers and devices through the FortiGate to FortiManager (FGFM) protocol API, resulting in the exfiltration of sensitive configuration data from over 50 servers.

Be the first to know of emerging threats like this one.

Sign up to get our analysts' insights on emerging cyberattacks, vulnerabilities, and more sent straight to your inbox.

Sign up

UNC5820 exploited FortiJump to mainly target government and critical infrastructure sectors. The group's attack focused on gaining initial access, followed by stealing configuration data but fortunately did not appear to pursue further intrusion activities or ransomware deployment.

Rumors of an actively exploited zero-day vulnerability in FortiManager have been circulating online for over a week as various Fortinet customers received private security advisories.

On October 23, 2024, Fortinet officially disclosed the vulnerability and recommended that impacted users immediately upgrade to a fixed version and implement enhanced monitoring to prevent further unauthorized access, especially on systems linked to critical operations.

Source: Bleeping Computer

Analysis

Fortinet devices have a long history of being plagued with vulnerabilities, many of which are exploited as zero-days.

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting a critical vulnerability in several Fortinet devices, which was previously disclosed and patched in February 2024.

In June 2024, the Dutch Military Intelligence and Security Service (MIVD) advised that a China-linked threat actor leveraged another critical FortiOS RCE vulnerability, designated CVE-2022-42475, to compromise 20,000 FortiGate network security appliances with malware between 2022 and 2023.

The widespread deployment of Fortinet devices, coupled with the frequent discovery of vulnerabilities within them, make them an attractive target for nation-state threat actors and cybercriminals alike. This is unlikely to change unless Fortinet significantly enhances its code review and proactive vulnerability discovery practices like the program implemented earlier this year by IT software company Ivanti.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software, including those developed by Fortinet.Field Effect MDR users are automatically notified if a vulnerable version of Fortinet software or device is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends that impacted users install the patch as soon as possible, in accordance with Fortinet’s original advisory.

Since Fortinet devices and software are popular targets for threat actors, organizations that use Fortinet products should pay particular attention to ensure they are kept up to date to avoid compromise.

Related Articles

• 8-month-old Fortinet RCE vulnerability actively exploited
• Critical FortiOS SSL VPN vulnerability potentially under active exploitation
• New Fortinet vulnerability allows RCE without authentication