CVE-2024-47575 Detection: FortiManager API Vulnerability Exploited in Zero-Day Attacks

Attackers frequently launch high-profile attacks by exploiting RCE vulnerabilities in popular software products. Cybersecurity researchers have recently identified the widespread exploitation of FortiManager instances, with 50+ potentially compromised devices across multiple industry verticals. Defenders disclosed a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks by adversaries to execute arbitrary code or commands and steal sensitive files containing configurations, IP addresses, and credentials for managed devices.

Detect CVE-2024-47575 Exploitation Attempts

A new day brings yet another critical vulnerability under active exploitation. This time, security experts have disclosed a security flaw in FortiManager instances, which has allowed a remote code execution exploit to be used in the wild. A new threat actor, tracked by Mandiant under the identifier UNC5820, has been linked to this exploitation.

To stay ahead of potential attacks, cyber defenders can leverage the SOC Prime Platform, which offers relevant detection rules and a complete suite of tools for advanced threat detection, automated threat hunting, and AI-powered detection engineering.

To spot CVE-2024-47575 exploitation attempts, take a look at the dedicated Sigma rule by the SOC Prime Team: 

Possible CVE-2024-47575 (Fortiguard FortiManager Missing Authentication) Exploitation Attempt (via webserver)

The rule is compatible with 16 security analytics solutions and mapped to the MITRE ATT&CK® framework, addressing the Initial Access tactic with the Exploit Public-Facing Application (T1190) as a corresponding technique.

Explore the broader detection stack aimed at emerging CVEs detection by clicking the Explore Detections button. Security professionals can obtain in-depth cyber threat context accompanied by ATT&CK references and CTI links, as well as get actionable metadata tailored to their organization-specific needs for streamlined threat research.

Explore Detections

CVE-2024-47575 Analysis

In October 2024, Mandiant partnered with Fortinet researchers to investigate the mass exploitation targeting over 50 FortiManager appliances across multiple industries. The exploited highly critical zero-day vulnerability with a CVSS score of 9.8, identified as CVE-2024-47575, enables threat actors to leverage unauthorized FortiManager devices under their control to perform RCE.

According to Fortinet’s advisory, CVE-2024-47575 could enable a remote, unauthenticated attacker to run arbitrary code or commands through specially crafted requests due to missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon.

Mandiant has identified a new threat cluster, UNC5820, potentially linked to the CVE-2024-47575 exploitation, which has been weaponizing a vulnerability since June 2024. Adversaries exfiltrated configuration data from managed FortiGate devices, including detailed configurations and user FortiOS256-hashed passwords. This data could give UNC5820 the green light to further compromise FortiManager and perform lateral movement activitites within the network.

The identified zero-day flaw affects FortiManager versions 7.x and 6.x, as well as FortiManager Cloud versions 7.x and 6.x. Additionally, it impacts older FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, provided they have at least one interface with the fgfm service enabled and the specific configuration enabled.

According to Censys, there are 4K+ exposed FortiManager admin portals online, with almost 30% of these located in the U.S. and approximately 20% of the publicly accessible instances linked to Microsoft Cloud. Still, it is currently under question how many of these FortiManager appliances are vulnerable to CVE-2024-47575, as there is insufficient information regarding the specific device versions in use.

To minimize the risks of CVE-2024-47575 exploitation, Fortinet has issued an advisory with workarounds, patch updates, and several mitigation options for those unable to install the latest firmware update immediately, like blocking unknown devices from attempting to register (for FortiManager versions 7.0.12 or higher, 7.2.5 or higher, and 7.4.3 or higher), implementing local-in policies to allowlist specific IP addresses of FortiGates permitted to connect (for device versions 7.2.0 and above), or leveraging a custom certificate (for software versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above).

The zero-day vulnerability CVE-2024-47575 has been included in CISA’s Known Exploited Vulnerabilities catalog to increase cybersecurity awareness and notify organizations of the escalating risks posed by its exploitation. As the risks of CVE-2024-47575 cannot be underestimated due to its potential for RCE and ease of exploitation, organizations are encouraged to elevate their proactive defenses. SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection helps security teams identify emerging threats at the earliest attack stages and risk-optimize their organization’s cybersecurity posture.