CRITICAL: Fortinet FortiManager CVE-2024-47575 Special Report

DESCRIPTION LAST UPDATED: 2024-10-24

DEFAULT SEVERITY LEVEL: CRITICAL

This Special Report contains information about Fortinet FortiManager devices that were potential or confirmed victims of zero day exploitation of CVE-2024-47575, a missing authentication vulnerability of a critical function in FortiManager, with a CVSS score of 9.8/10 (rated CRITICAL). You can read Fortinet’s advisory about the vulnerability here. Further analysis by Mandiant of the attack attributed to UNC5820 can be found here.

Devices tagged as cve-2024-47575-compromised were targeted by the threat actor and are believed to have been successfully compromised. Compromised devices include full “first_seen_time” / “last_seen_time” timestamps.

Devices tagged as cve-2024-47575-targeted are believed to have been targeted by the threat actor but not confirmed as compromised. Targeted devices have their “first_seen_time” / “last_seen_time”  timestamps set to “2024-09-22 00:00:00” as an approximation of the time each device was targeted, based on available information. The lack of status = compromised for a targeted device does not mean that the system was not compromised – simply that we have not been able to verify the status. We highly recommend that targeted devices are also assumed to be fully compromised, unless extensive forensic analysis of affected systems and managed devices indicates otherwise.

Note that a compromised device may have more than one IP address or could have traversed a NAT device, so there is not always a 100% one-to-one mapping of compromised and targeted IP addresses.

In particular, please take note of the following guidance in Fortinet’s advisory: “Since data may have been exfiltrated from the FortiManager database, we recommend that the credentials, such as passwords and user-sensitive data, of all managed devices, be urgently changed“.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24-hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24-hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24-hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and, hopefully, acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across Special Reports may differ on a case by case basis, hence the report formats for individual Special Reports may be different.

This Special Report has severity level CRITICAL set on all events.  Severity levels are described here.

Filename prefix: 2024-10-24-special.

Note: this Special Report is accessible via our API using 2024-10-24 as the search date.

Fields

  • timestamp
    The timestamp has been set to "2024-10-24 00:00:00" to represent when this data set was reported
  • ip
    IP address of the affected device
  • port
    TCP or UDP port identified
  • protocol
    Protocol associated with the malicious activity
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP address in question
  • tag
    Additional tags for more insight
  • infection
    Description of the malware/infection
  • public_source
    Source of the data
  • status
    Status of the affected IP address, for example, "compromised"
  • detail
    Unused
  • account
    Unused
  • method
    Unused
  • severity
    Severity level
  • hostname_source
    Hostname source
  • first_seen_time
    Timestamp the device was first recorded (full timestamp of compromised device or estimated time device was targeted)
  • last_seen_time
    Timestamp the device was last recorded (full timestamp of compromised device or estimated time device was targeted)
  • potential_exposure_time
    Unused

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","infection","public_source","status","detail","account","method","device_vendor","severity","hostname_source","first_seen_time","last_seen_time","potential_exposure_time"
"2024-10-24 00:00:00",192.168.0.1,,,64512,ZZ,Region,City,node01.example.com,0,,cve-2024-47575-targeted,cve-2024-47575,,targeted,,,,,critical,ptr,"2024-09-22 00:00:00","2024-09-22 00:00:00",
"2024-10-24 00:00:01",192.168.0.2,,,64512,ZZ,Region,City,node02.example.com,0,,cve-2024-47575-targeted,cve-2024-47575,,targeted,,,,,critical,ptr,"2024-09-22 00:00:00","2024-09-22 00:00:00",
"2024-10-24 00:00:01",192.168.0.3,,,64512,ZZ,Region,City,node02.example.com,0,,cve-2024-47575-compromised,cve-2024-47575,,compromised,,,,,critical,ptr,"2024-09-22 00:00:00","2024-09-22 00:00:00",

Our 132 Report Types