At least 50 organizations have been hit by the campaign, Fortinet and Mandiant say, and federal agencies are on the hook to patch.
Fortinet and Mandiant are sounding the alarms about an active campaign exploiting a critical bug in FortiManager products that allows a remote hacker to manage associated devices.
Mandiant and Fortinet investigated more than 50 organizations this month that were hit by the campaign, but found indications that it started as early as June 27. The Google-owned cybersecurity firm further warned in the new report that it lacks "sufficient data to assess actor motivation or location" and is currently tracking the cluster of activity as UNC5820.
The bug, CVE-2024-47575, resulted from a missing authentication and is given an estimated CVEE score of 9.8 by Fortinet.
Fortinet said in an alert Wednesday that it has found no indications of low-level system installations of malware and "there have been no indicators of modified databases, or connections and modifications to the managed devices."
The vendor further stressed that organizations with impacted versions of FortiManager, FortiManager Cloud, some older FortiAnalyzer models with the FortiManager feature enabled, "and at least one interface with fgfm service enabled" should all patch or mitigate the bug and change credentials.
"We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates," Fortinet said in a statement to CyberScoop. "We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."
The Cybersecurity and Infrastructure Security Agency added the bug to the known exploited vulnerability catalog Wednesday. The move also starts the clock for federal civilian agencies, which are mandated to fix "critical risk" bugs within 15 days.
Mandiant said UNC5820 exfiltrated configuration data of multiple FortiGate devices managed by the exploited software, as well as users and associated passwords. However, the firm said there is no data that shows the hackers moving laterally through networks or using the exfiltrated data.
"This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment," Mandiant said.
If exploited, Fortinet said the bug could allow a "remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests."
Caitlin Condon, director of vulnerability intelligence at Rapid7, told CyberScoop that the network security company is working with several potentially affected organizations but had no additional confirmations of the campaign yet. But Condon cautioned that it's still early in the disclosure process, meaning more organizations will likely be making public disclosures soon.
Condon also noted in a Rapid7 report that some customers received "communications from service providers indicating the vulnerability may have been exploited in their environments."
However, the disclosure process has been far from perfect. As Condon noted, private industry discussions around the potential exploit as well as some Reddit posts predicted the release of the bug. Some concerns were raised publicly as early as Oct. 13, more than a week before the release, and others expressed frustration about the disclosure process.
In a statement, Fortinet said the company "promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors."
In a blog post published Tuesday, security researcher Kevin Beaumont detailed how some customers were privately notified about the bug ahead of time. Beaumont further alleged that state-sponsored activity may be behind the campaign, dubbing the vulnerability "FortiJump."
Beaumont said there were just under 60,000 vulnerable internet-facing FortiManager devices exposed as of Wednesday, with more than 13,000 found in the United States. China was a distant second with over 5,800 devices exposed.