October 24, 2024 at 04:25PM
A critical vulnerability (CVE-2024-47575) in Fortinet’s FortiManager has been exploited by threat actor UNC5820, compromising over 50 devices. This flaw allows unauthorized access and manipulation, raising security concerns. Though sensitive information was extracted, no follow-up attacks have been reported. Immediate forensic investigations and remediation efforts are advised.
### Meeting Takeaways
1. **Incident Overview**: A threat actor, known as UNC5820, has exploited critical vulnerability CVE-2024-47575 in Fortinet’s FortiManager devices across multiple industries, compromising over 50 instances without observed follow-on malicious activity so far.
2. **Vulnerability Details**:
– CVE-2024-47575 is caused by missing authentication in the fgfmd daemon of FortiManager, allowing remote, unauthenticated attackers to execute arbitrary code.
– The vulnerability has received a high severity score of 9.8 (out of 10) on the CVSS.
3. **Operational Impact**:
– UNC5820 has accessed sensitive information, such as configuration data and passwords, from compromised FortiManagers.
– An unauthorized device registration attempt was observed, indicating further exploration of the network environment.
4. **Recommendations for Affected Organizations**:
– Organizations with exposed FortiManager management consoles should conduct immediate forensic investigations.
– Fortinet has released mitigation guidance, including workarounds for those unable to upgrade quickly.
5. **Fortinet’s Response**:
– Fortinet has communicated critical information to customers and published a public advisory (FG-IR-24-423) about the vulnerability and recommended remediation steps.
– They are coordinating with international agencies and industry organizations to address the situation.
### Action Items:
– Perform forensic investigations if FortiManager devices are exposed to the internet.
– Follow Fortinet’s published advisories for remediation and updates.
– Ensure ongoing monitoring for any suspicious activity related to FortiManager installations.