1. Executive Summary
CVE-2024-47575 is a critical “missing authentication for a critical function” vulnerability (CWE-306) in Fortinet FortiManager and FortiManager Cloud that can enable unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests. Fortinet and multiple incident-response partners reported in-the-wild exploitation, and the vulnerability is flagged in NVD as present in CISA’s Known Exploited Vulnerabilities (KEV) catalogue. NVD lists a CVSS v3.1 base score of 9.8 (Critical). Mandiant’s investigation documented exploitation activity dating back to June 2024 and tracked the activity as UNC5820, including evidence of staging/exfiltration of FortiGate configuration data from compromised FortiManager instances. See Mandiant’s investigation.
2. Contextual Background
2.1 Nature of the threat
Vulnerability: Missing authentication for a critical function in the FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands.
Affected versions (per NVD description): FortiManager 7.6.0; 7.4.0–7.4.4; 7.2.0–7.2.7; 7.0.0–7.0.12; 6.4.0–6.4.14; 6.2.0–6.2.12; plus multiple FortiManager Cloud version ranges. Refer to NVD and the Fortinet PSIRT advisory for the definitive, current fixed-version guidance.
2.2 Threat-actor attribution
Attribution: UNC5820 (tracked by Mandiant). Confidence: Likely (based on Mandiant’s direct investigative findings and artefact correlation). Mandiant notes it lacked sufficient data at publication time to assess actor motivation or location. Source: Mandiant’s investigation.
2.3 Sector and geographic targeting
Mandiant observed exploitation across 50+ potentially compromised FortiManager devices spanning “various industries”. No single sector focus was confirmed in Mandiant’s public write-up. Source: Mandiant’s investigation.
Important nuance on “100,000 devices”: Some reporting references that a single FortiManager can manage up to ~100,000 devices, which amplifies downstream risk if a management plane is compromised. This is capacity context rather than a verified count of exposed/vulnerable FortiManager instances on the internet. See: Dark Reading coverage.
3. Technical Analysis
3.1 Vulnerability mechanics and observed TTPs
CVE-2024-47575 stems from missing authentication in a “critical function” within the FortiManager fgfmd daemon, enabling unauthenticated remote code execution / command execution via crafted requests. Source: NVD, and corroborated in incident-response reporting such as Rapid7’s analysis.
Observed behaviours (Mandiant):
- Creation/modification of an archive file used to stage sensitive configuration data (notably
/tmp/.tm). Source: Mandiant’s investigation. - Outbound network activity shortly after archive creation, consistent with exfiltration timing. Source: Mandiant’s investigation.
- Registration of an unauthorised Fortinet device (serial
FMG-VMTM23017412) and artefacts written to/fds/data/unreg_devices.txt. Source: Mandiant’s investigation.
MITRE ATT&CK technique mapping (representative):
- Remote Services / exploitation for initial access: T1190
- Command execution: T1059
- Archive collected data: T1560
- Exfiltration over C2 channel / HTTPS-style egress: T1041
- Credential access via configuration/hashed password material: T1552
3.2 Exploitation status
Exploited in the wild: Fortinet reported exploitation; Rapid7 and national bodies (UK) amplified the urgency and recommended compromise assessments aligned to vendor IOCs. See: Rapid7, UK NCSC advisory, and NVD (which flags KEV inclusion).
KEV status: NVD explicitly states this CVE is in CISA’s Known Exploited Vulnerabilities catalogue and records a “date added” of 23 October 2024 and federal remediation due date of 13 November 2024. Source: NVD.
4. Impact Assessment
4.1 Severity and scope
Severity: CVSS v3.1 base score 9.8 (Critical) (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per Fortinet CNA data shown in NVD. Source: NVD.
Business impact: Successful exploitation may enable adversaries to extract sensitive network configurations, device inventories, and credential material (including hashed passwords), increasing the likelihood of follow-on compromise of managed Fortinet devices and wider enterprise access. Source: Mandiant’s investigation.
4.2 Victim profile
Victims include organisations operating FortiManager (or FortiManager Cloud) exposed such that an attacker can reach the management plane. Mandiant’s public reporting references multiple industries and 50+ potentially compromised FortiManager devices. Source: Mandiant’s investigation.
5. Indicators of Compromise (IOCs)
5.1 IOC table
Note: The following IOCs are drawn from Mandiant’s public investigation. Validate against your environment context before blocking, and prefer detection + scoping over broad deny-listing if you have legitimate dependencies that overlap.
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| IP address | 45.32.41.202 | UNC5820-associated infrastructure (observed in exploitation artefacts) | Mandiant investigation |
| IP address | 104.238.141.143 | UNC5820-associated infrastructure | Mandiant investigation |
| IP address | 158.247.199.37 | UNC5820-associated infrastructure | Mandiant investigation |
| IP address | 195.85.114.78 | UNC5820-associated infrastructure (observed outbound traffic to :443 after archive events) | Mandiant investigation |
| File / path | /tmp/.tm | Archive used to stage configuration data | Mandiant investigation |
| Serial number | FMG-VMTM23017412 | Unauthorised Fortinet device ID observed after exploitation | Mandiant investigation |
| File / path | /fds/data/unreg_devices.txt | Contains unauthorised device serial + IP pair | Mandiant investigation |
| Hash (MD5) | 9DCFAB171580B52DEAE8703157012674 | MD5 hash of unreg_devices.txt (as published) | Mandiant investigation |
| Log keyword | msg=”Unregistered device localhost add succeeded” | String indicating exploitation in /log/locallog/elog | Mandiant investigation |
| Log keyword | changes=”Edited device settings (SN FMG-VMTM23017412)” | String indicating exploitation in /log/locallog/elog | Mandiant investigation |
| Log keyword | changes=”Added unregistered device to unregistered table.” | String indicating exploitation in /log/locallog/elog | Mandiant investigation |
| [email protected] | Disposable email address observed in subscription artefacts | Mandiant investigation | |
| Keyword | Purity Supreme | Company name string observed in artefacts | Mandiant investigation |
5.2 Detection guidance
- High-fidelity hunting: Search for the malicious device ID
FMG-VMTM23017412and “Unregistered device” log strings in FortiManager logs (e.g.,/log/locallog/elog). Source: Mandiant investigation. - File-system artefacts: Investigate unexpected creation/modification of
/tmp/.tmand presence/changes to/fds/data/unreg_devices.txt. Source: Mandiant investigation. - Network analytics: Look for outbound connections to the published IOC IPs shortly after suspicious archive activity; prioritise egress to 443 where byte counts align with staged archive sizes. Source: Mandiant investigation.
- Rule content: Mandiant notes YARA-L rules released via Google SecOps Enterprise+ “Mandiant Intel Emerging Threats” pack (rule names include “Suspicious FortiManager Inbound and Outbound Connection”). Source: Mandiant investigation.
6. Incident Response Guidance
6.1 Containment, eradication, and recovery
- Immediate containment: If FortiManager is internet-exposed, restrict management-plane access to known administrator IP ranges and required device subnets only, and disable unnecessary services until patched. Align actions to Fortinet PSIRT guidance and national advisories such as UK NCSC.
- Patch / upgrade: Apply Fortinet’s fixed versions and follow workaround guidance where upgrades are not immediately possible. Reference: Fortinet PSIRT advisory and confirmation in Rapid7’s write-up.
- Recovery approach: National guidance recommends a compromise assessment using vendor IOCs and, if compromised, rebuilding/re-initialising FortiManager and restoring from a known-good backup (pre-compromise) where possible. See NHS England alert.
6.2 Forensic artefacts to collect
- FortiManager logs (especially local event logs referenced by Mandiant), and audit trails covering device add/modify operations.
- File-system artefacts:
/tmp/.tm,/fds/data/unreg_devices.txt, and related subscription files referenced in public reporting. - Network telemetry: north-south connections to/from the FortiManager management plane; egress flows from FortiManager to the IOC IPs.
6.3 Lessons learned
- Do not expose management planes to the internet unless strictly required; enforce IP allow-listing and strong segmentation.
- Baseline “rare” management operations (device registration, unregistered-device handling) so anomalies alert quickly.
7. Threat Intelligence Contextualisation
7.1 Similar incident patterns
Fortinet management-plane exploitation continues to be attractive because it centralises credentials, topology, and policy control for downstream security infrastructure. In this case, Mandiant observed theft of managed-device configuration and hashed password material—an approach that can enable rapid follow-on access if not contained. Source: Mandiant investigation.
7.2 Full MITRE ATT&CK mapping
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Unauthenticated exploitation of FortiManager service to enable code/command execution (as described in public reporting). |
| Execution | T1059 | Command and Scripting Interpreter | Arbitrary command execution capability implied by vulnerability impact (RCE/ACE). |
| Collection | T1005 | Data from Local System | Collection of configuration data and sensitive files from FortiManager. |
| Collection | T1552 | Unsecured Credentials | Exfiltration of configuration data containing hashed passwords and credential material for managed devices. |
| Collection | T1560 | Archive Collected Data | Creation/use of /tmp/.tm archive to stage sensitive content. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Outbound traffic observed shortly after archive activity to external IPs. |
8. Mitigation Recommendations
8.1 Hardening and configuration
- Restrict FortiManager management access to a tightly controlled admin network (VPN + allow-listing), and avoid direct internet exposure where feasible. Align with UK NCSC guidance.
- Implement egress controls for management infrastructure; alert on new or unusual outbound destinations from FortiManager.
- Enable centralised logging and long retention for FortiManager audit logs and device registration activity.
8.2 Patch management and prioritisation
- Prioritise emergency patching due to (a) critical severity and (b) in-the-wild exploitation. Sources: NVD, Rapid7.
- Where patching is delayed, apply vendor workarounds and enforce strict network controls as compensating measures. Source: Fortinet PSIRT advisory.
9. Historical Context & Related Vulnerabilities
Fortinet products are frequently targeted due to their perimeter and management roles; incident responders and national agencies routinely stress rapid patch adoption and management-plane isolation when Fortinet advisories indicate exploitation. For this specific incident and its exploitation timeline (June–September 2024 observations), see: Mandiant’s investigation.
10. Future Outlook
- Expect continued scanning and opportunistic exploitation of internet-exposed FortiManager systems, especially where patch adoption lags.
- Downstream targeting risk (managed FortiGate and related infrastructure) remains a key concern if attackers leverage exfiltrated configuration and credential material for follow-on access. Source: Mandiant’s investigation.
11. Further Reading
- Fortinet PSIRT: FG-IR-24-423 (CVE-2024-47575)
- NVD entry for CVE-2024-47575
- Mandiant: Investigating FortiManager Zero-Day Exploitation
- UK NCSC: Exploitation of vulnerability affecting Fortinet FortiManager
- Rapid7: CVE-2024-47575 exploited in zero-day attacks
- NHS England: Exploited Critical Vulnerability CVE-2024-47575