Fortinet warns of active campaign exploiting bug in FortiManager products | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/fortinet-fortimanager-mandiant-unc5820-alert\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Fortinet warns of active campaign exploiting bug in FortiManager products\"> <meta property=\"og:description\" content=\"At least 50 organizations have been hit by the campaign, Fortinet and Mandiant say, and federal agencies are on the hook to patch.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/fortinet-fortimanager-mandiant-unc5820-alert\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-24T21:22:31+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-24T21:22:34+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1729616464g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1728928671g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82276\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82276\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffortinet-fortimanager-mandiant-unc5820-alert%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffortinet-fortimanager-mandiant-unc5820-alert%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82276 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/fortinet-fortimanager-mandiant-unc5820-alert\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.3515625\">\n<div class=\"single-article__header-content\" readability=\"31.513944223108\">\n<p> At least 50 organizations have been hit by the campaign, Fortinet and Mandiant say, and federal agencies are on the hook to patch. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Fortinet office in Burnaby, BC, Canada, July 7, 2023. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.806735637244\"><body readability=\"90.110954395863\"><\/p>\n<p>Fortinet and Mandiant are sounding the alarms about an active campaign exploiting a critical bug in FortiManager products that allows a remote hacker to manage associated devices.<\/p>\n<p>Mandiant and Fortinet investigated more than 50 organizations this month that were hit by the campaign, but found indications that it started as early as June 27. The Google-owned cybersecurity firm further <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/fortimanager-zero-day-exploitation-cve-2024-47575?e=48754805\">warned in the new report<\/a> that it lacks \u201csufficient data to assess actor motivation or location\u201d and is currently tracking the cluster of activity as UNC5820.<\/p>\n<p>The bug, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-47575\">CVE-2024-47575<\/a>, resulted from a missing authentication and is given an estimated CVEE score of 9.8 by Fortinet.<\/p>\n<p>Fortinet said in an <a href=\"https:\/\/fortiguard.fortinet.com\/psirt\/FG-IR-24-423\">alert Wednesday<\/a> that it has found no indications of low-level system installations of malware and \u201cthere have been no indicators of modified databases, or connections and modifications to the managed devices.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The vendor further stressed that organizations with impacted versions of FortiManager, FortiManager Cloud, some older FortiAnalyzer models with the FortiManager feature enabled, \u201cand at least one interface with fgfm service enabled\u201d should all patch or mitigate the bug and change credentials.<\/p>\n<p>\u201cWe urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates,\u201d Fortinet said in a statement to CyberScoop. \u201cWe continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response.\u201d<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency added the bug to the <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/10\/23\/cisa-adds-one-known-exploited-vulnerability-catalog\">known exploited vulnerability catalog Wednesday<\/a>. The move also starts the clock for federal civilian agencies, which are mandated to fix \u201ccritical risk\u201d bugs within 15 days.<\/p>\n<p>Mandiant said UNC5820 exfiltrated configuration data of multiple FortiGate devices managed by the exploited software, as well as users and associated passwords. However, the firm said there is no data that shows the hackers moving laterally through networks or using the exfiltrated data.<\/p>\n<p>\u201cThis data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment,\u201d Mandiant said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>If exploited, Fortinet said the bug could allow a \u201cremote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.\u201d<\/p>\n<p>Caitlin Condon, director of vulnerability intelligence at Rapid7, told CyberScoop that the network security company is working with several potentially affected organizations but had no additional confirmations of the campaign yet. But Condon cautioned that it\u2019s still early in the disclosure process, meaning more organizations will likely be making public disclosures soon.<\/p>\n<p>Condon also noted in a <a href=\"https:\/\/www.rapid7.com\/blog\/post\/2024\/10\/23\/etr-fortinet-fortimanager-cve-2024-47575-exploited-in-zero-day-attacks\/\">Rapid7 report<\/a> that some customers received \u201ccommunications from service providers indicating the vulnerability may have been exploited in their environments.\u201d<\/p>\n<p>However, the disclosure process has been far from perfect. As Condon noted, <a href=\"https:\/\/arstechnica.com\/security\/2024\/10\/fortinet-stays-mum-on-critical-0-day-reportedly-under-active-exploitation\/\">private industry<\/a> discussions around the potential exploit as well as <a href=\"https:\/\/www.reddit.com\/r\/fortinet\/comments\/1g6vspq\/comment\/lsnc32x\/\">some Reddit posts<\/a> predicted the release of the bug. Some concerns were raised publicly as early as Oct. 13, more than a week before the release, and others <a href=\"https:\/\/www.reddit.com\/r\/fortinet\/comments\/1g6vspq\/why_was_fortimanager_728_released\/\">expressed frustration<\/a> about the disclosure process.<\/p>\n<p>In a statement, Fortinet said the company \u201cpromptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In a <a href=\"https:\/\/doublepulsar.com\/burning-zero-days-fortijump-fortimanager-vulnerability-used-by-nation-state-in-espionage-via-msps-c79abec59773\">blog post<\/a> published Tuesday, security researcher Kevin Beaumont detailed how some customers were privately notified about the bug ahead of time. Beaumont further alleged that state-sponsored activity may be behind the campaign, dubbing the vulnerability \u201cFortiJump.\u201d<\/p>\n<p>Beaumont said there were just under 60,000 vulnerable internet-facing FortiManager devices exposed as of Wednesday, with more than 13,000 found in the United States. China was a distant second with over 5,800 devices exposed.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.75\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/fortinet-fortimanager-mandiant-unc5820-alert\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fortinet warns of active campaign exploiting bug in FortiManager products<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[440,917,281,646,256,288],"tags":[444,921,285,650,262,294],"class_list":["post-5930","post","type-post","status-publish","format-standard","hentry","category-data-breaches","category-fortinet","category-hacking","category-mandiant","category-research","category-threats","tag-data-breaches","tag-fortinet","tag-hacking","tag-mandiant","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fortinet\/\" rel=\"category tag\">Fortinet<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5930"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5930\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5930,"date":"2024-10-24T16:22:31","date_gmt":"2024-10-24T21:22:31","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82276"},"modified":"2024-10-24T16:22:31","modified_gmt":"2024-10-24T21:22:31","slug":"fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/24\/fortinet-warns-of-active-campaign-exploiting-bug-in-fortimanager-products\/","title":{"rendered":"Fortinet warns of active campaign exploiting bug in FortiManager products"},"content":{"rendered":"