Researchers identified a zero-day vulnerability, CVE-2024-47575, impacting FortiManager, exploited by the UNC5820 group. This flaw allows unauthorized access, enabling threat actors to exfiltrate critical configuration data. The vulnerability has been actively exploited, with compromised devices traced to connections from specific IP addresses. Fortinet has released mitigations and version updates to address this issue.
The vulnerability allows remote attackers to execute arbitrary code or commands via the fgfmd daemon in FortiManager. Initial exploitation was observed in June 2024, where UNC5820 exfiltrated FortiGate configuration data, including user credentials and policies. IP addresses and device information were staged in compressed files, and outbound connections followed file creation, signaling exfiltration. Indicators include specific IP addresses, serial numbers, and unauthorized device additions in FortiManager logs.