A critical vulnerability in Fortinet's FortiManager, tracked as CVE-2024-47575 and dubbed “FortiJump,” has been actively exploited in zero-day attacks since June 2024, according to cybersecurity firm Mandiant.

The vulnerability is related to missing authentication in FortiManager fgfmd daemon. The issue can be exploited by a remote non-authenticated attacker arbitrary commands execution via malicious requests.

Fortinet explained that attackers could exploit the flaw by using attacker-controlled FortiManager and FortiGate devices, equipped with valid certificates, to register themselves on any exposed FortiManager server. Once connected, even in an unauthorized state, they could exploit the vulnerability to execute API commands, potentially gaining access to sensitive configuration data about managed devices.

“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices,” the vendor wrote in a security advisory for CVE-2024-47575

Fortinet has since released patches to address the flaw, urging users to update their systems immediately.

Mandiant said that a threat actor, tracked as UNC5820, has been actively exploiting FortiManager devices since June 27, 2024. UNC5820 was able to stage and exfiltrate detailed configuration data of FortiGate devices managed by compromised FortiManager servers. The configuration data includes critical details such as users’ information and their FortiOS256-hashed passwords, which could enable UNC5820 to compromise FortiManager devices further, move laterally to the managed Fortinet devices, and potentially infiltrate broader enterprise environments.

At present, Mandiant’s investigation has not identified the specific API requests UNC5820 used to exploit the vulnerability. Additionally, there is no evidence to suggest that the threat actor has leveraged the stolen configuration data to compromise the enterprise environment beyond FortiManager devices.