{
	"id": "41120ede-53ba-43b7-8f5c-584e197c165f",
	"created_at": "2026-04-06T00:08:48.978727Z",
	"updated_at": "2026-04-10T13:12:26.598709Z",
	"deleted_at": null,
	"sha1_hash": "758dcbf5173c54dc4051fcd2bf187379a777ccb5",
	"title": "Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 419067,
	"plain_text": "Investigating FortiManager Zero-Day Exploitation (CVE-2024-\r\n47575)\r\nBy Mandiant\r\nPublished: 2024-10-24 · Archived: 2026-04-02 11:02:03 UTC\r\nWritten by: Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, Jared Wilson\r\nSummary\r\nIn October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager\r\nappliances across 50+ potentially compromised FortiManager devices in various industries. The vulnerability,\r\nCVE-2024-47575 / FG-IR-24-423, allows a threat actor to use an unauthorized, threat actor-controlled\r\nFortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices. \r\nMandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as\r\nearly as June 27, 2024. UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed\r\nby the exploited FortiManager. This data contains detailed configuration information of the managed appliances as\r\nwell as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further\r\ncompromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise\r\nenvironment.\r\nAt this time, the data sources analyzed by Mandiant did not record the specific requests that the threat actor used\r\nto leverage the FortiManager vulnerability. Additionally, at this stage of our investigations there is no evidence\r\nthat UNC5820 leveraged the obtained configuration data to move laterally and further compromise the\r\nenvironment. As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location.\r\nAs additional information becomes available through our investigations, Mandiant will update this blog’s\r\nattribution assessment.\r\nOrganizations that may have their FortiManager exposed to the internet should conduct a forensic investigation\r\nimmediately.\r\nExploitation Details\r\nMandiant’s earliest observed exploitation attempt occurred on June 27, 2024. On that day, multiple FortiManager\r\ndevices received inbound connections from the IP address 45[.]32[.]41[.]202 on the default port TCP/541. At\r\napproximately the same time, the file system recorded the staging of various Fortinet configuration files in a Gzip-compressed archive named /tmp/.tm. This archive contained the files and folders as listed in Table 1.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 1 of 8\n\nFilename Description\r\n/var/dm/RCS Folder containing configuration files of managed FortiGate devices\r\n/var/dm/RCS/revinfo.db Database containing additional information of the managed FortiGate devices\r\n/var/fds/data/devices.txt Contains a list of FortiGate serials and their corresponding IP addresses\r\n/var/pm2/global.db\r\nGlobal database that contains object configurations, policy packages, and header\r\nand footer sensor configuration for IPS\r\n/var/old_fmversion Contains current FortiManager version, build, and branch information\r\nTable 1: Content of /tmp/.tm\r\nOn Sept. 23, 2024, Mandiant observed a second exploitation attempt with the same indicators. In both exploitation\r\nevents, outbound network traffic occurred shortly after the archive creation. The amount of bytes sent to the\r\nrespective destination IP addresses are slightly larger than the size of the archive. Table 2 lists the details of this\r\nactivity.\r\nTimestamp Description Size\r\n2024-06-27 12:44:04 /tmp/.tm (File creation) Unknown\r\n2024-06-27 12:44:11 Outbound traffic to 195[.]85[.]114[.]78:443 1,819,425 bytes\r\n2024-09-23 11:31:12 /tmp/.tm (File modification) 1,772,650 bytes\r\n2024-09-23 11:31:19 Outbound traffic to 104[.]238[.]141[.]143:443 1,822,968 bytes\r\nTable 2: Correlation of staged configuration data and outbound traffic of the two exploitation attempts\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 2 of 8\n\nDuring the second exploitation attempt, the threat actor’s device was registered to the targeted FortiManager.\r\nFigure 1 lists the unauthorized FortiManager in the Global Objects database along with the timestamp when it was\r\nadded.\r\nFigure 1: Threat actor’s device added to Global Objects database\r\nOnce the threat actor successfully exploited the FortiManager, their unknown Fortinet device appeared in the\r\nFortiManager console.\r\nFigure 2: Unauthorized device listed in FortiManager console\r\nAn additional indicator of successful exploitation is the addition of the unauthorized device serial number “FMG-VMTM23017412” and its corresponding IP address 45[.]32[.]41[.]202 to the file /fds/data/unreg_devices.txt.\r\nFigure 3 lists the content of this file.\r\nFMG-VMTM23017412|45.32.41.202\r\nFigure 3: Content of /fds/data/unreg_devices.txt\r\nThe files /fds/data/subs.dat and /fds/data/subs.dat.tmp contain additional indicators of the exploitation that include\r\nan associated disposable email address and a company name as listed in Figure 4.\r\nSerialNumber=FMG-VMTM23017412|AccountID=\r\n0qsc137p@justdefinition.com|Company=Purity Supreme|UserID=1756868\r\nFigure 4: Content of /fds/data/subs.dat\r\nMandiant scraped the FortiManager’s memory image for additional artifacts of threat actor activity and detected a\r\nJSON blob containing the keywords “FMG-VMTM23017412” and “45[.]32[.]41[.]202”. This JSON blob also\r\nincluded a “first_tunnel_up” key, which contained the epoch time of 1726999303 as its value. This timestamp\r\ntranslates to 2024-09-22 10:01:43 UTC.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 3 of 8\n\nFigure 5: Tunnel up artifacts\r\nLack of Follow-On Malicious Activity\r\nMandiant reviewed the rootfs.gz, which is an initramfs (RAM disk) for the device that gets mounted to /bin. We\r\ndid not find any malicious files created or modified during the time frame of exploitation activity. \r\nGoogle Cloud notified affected customers who showed similar activity in their environments. Additionally,\r\nGoogle Threat Intelligence ran retrohunts while developing detections for this activity, and manually escalated\r\nPre-Release Detection Rule alerts to affected SecOps customers to assist with detecting exploit attempts of\r\nFortinet devices.\r\nFigure 6: Pre-Release Detection Rule — Suspected Zero Day Exploitation of Fortinet Device\r\nIn addition to collaborating with Mandiant, Fortinet proactively sent advance communications to its customers as\r\nan early warning on their advisory to enable customers to strengthen their security posture prior to broad public\r\ndisclosure.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 4 of 8\n\nTimeline of Threat Actor Activity\r\nTimestamp Event\r\n2024-06-27\r\n12:44:04\r\nInbound network connection from 45[.]32[.]41[.]202. File creation: /tmp/.tm\r\n2024-06-27\r\n12:44:07\r\nOutbound network connection to 45[.]32[.]41[.]202 on port 443\r\n2024-06-27\r\n12:44:11\r\nOutbound network connection to 195[.]85[.]114[.]78 on port 443. The bytes sent are\r\napproximately equal to the size of /tmp/.tm\r\n2024-09-22\r\n10:01:47\r\nInbound network connection from 45[.]32[.]41[.]202\r\n2024-09-22\r\n10:01:50\r\nOutbound network connections to 158[.]247[.]199[.]37:443 and 45[.]32[.]41[.]202:443.\r\nThe connections to 158[.]247[.]199[.]37 were denied\r\n2024-09-22\r\n10:02:21\r\nString indicating exploitation in /log/locallog/elog msg=\"Unregistered device localhost\r\nadd succeeded\"\r\n2024-09-22\r\n10:02:55\r\nFile modified: /fds/data/unreg_devices.txt Contents: “FMG-VMTM23017412|45.32.41.202”\r\n2024-09-22\r\n10:07:36\r\nString indicating exploitation in /log/locallog/elog changes=\"Edited device settings (SN\r\nFMG-VMTM23017412)\"\r\n2024-09-23\r\n11:31:12\r\nInbound network connection to destination port 541 from 45[.]32[.]41[.]202 File\r\nmodified: /tmp/.tm\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 5 of 8\n\n2024-09-23\r\n11:31:16\r\nOutbound network connection to 104[.]238[.]141[.]143. The bytes sent are approximately\r\nequal to the size of /tmp/.tm\r\nTable 3: Timeline of activity\r\nMitigation Strategies / Workaround\r\n1. Limit access to FortiManager admin portal for only approved internal IP addresses.\r\n2. Only allow permitted FortiGate addresses to communicate with FortiManager.\r\n3. Deny unknown FortiGate devices from being associated with FortiManager.\r\nAvailable 7.2.5, 7.0.12, 7.4.3 and later (not functional workaround on 7.6.0).\r\nconfig system global\r\n set fgfm-deny-unknown enable\r\nend\r\nFigure 7: Configuration to deny unknown devices\r\nRelevant Rules\r\nSuspicious FortiManager Inbound and Outbound Connection\r\nUNC5820 Fortinet Exploitation and File Download\r\nUNC5820 Fortinet Exploitation and non-HTTPS Command and Control\r\nUNC5820 Fortinet Exploitation and HTTPS Command and Control\r\nOther SIEMs\r\nDevelop searches against Fortiguard logs for the following relevant IOCs. In particular, the Malicious Fortinet\r\nDevice ID should provide a high fidelity alert if triggered.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 6 of 8\n\nBaseline and set thresholds for unique operations in the FortiManager logs. In particular, operations for “Add\r\ndevice” and “Modify device” may be rare enough for your organization to provide an actionable alert until this\r\nvulnerability can be patched.\r\nSimilarly, baseline and set thresholds for the changes field in the FortiManager logs, and consider a higher\r\nsensitivity when the changes field includes the word ‘Unregistered’.\r\nEnumerate the Fortigate devices daily, and alert when a previously unseen device name is observed in the logs. \r\nIndicators of Compromise (IOCs)\r\nA Google Threat Intelligence Collection of IOCs is available for registered users.\r\nNetwork-Based IOCs\r\nIOC Description\r\n45.32.41.202 UNC5820\r\n104.238.141.143 UNC5820\r\n158.247.199.37 UNC5820\r\n195.85.114.78 UNC5820\r\nHost-Based IOCs\r\nIOC Description\r\n.tm Archive of config files\r\n9DCFAB171580B52DEAE8703157012674 MD5 hash of unreg_devices.txt\r\nAdditional Keywords\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 7 of 8\n\nKeyword Description\r\nFMG-VMTM23017412 Malicious Fortinet Device ID\r\nmsg=\"Unregistered device localhost add\r\nsucceeded\"\r\nString indicating exploitation in /log/locallog/elog\r\nchanges=\"Edited device settings (SN FMG-VMTM23017412)\"\r\nString indicating exploitation in /log/locallog/elog\r\nchanges=\"Added unregistered device to\r\nunregistered table.\"\r\nString indicating exploitation in /log/locallog/elog\r\n0qsc137p@justdefinition.com\r\nObserved in subs.dat and subs.dat.tmp. This is a disposable\r\nemail address created by the threat actor.\r\nPurity Supreme Observed in subs.dat and subs.dat.tmp\r\nAcknowledgements\r\nWe would like to thank Nick Simonian and Ronnie Salomonsen for their contributions.\r\nWebinar\r\nTwo authors of this blog post, Foti Castelan and Max Thauer, will be presenting additional details and mitigation\r\nstrategies during a Nov. 6 webinar. Register now to learn more about this threat, and how to defend against it.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/"
	],
	"report_names": [
		"fortimanager-zero-day-exploitation-cve-2024-47575"
	],
	"threat_actors": [
		{
			"id": "3bb0ca76-1bfd-4944-a16b-7555d8280e5d",
			"created_at": "2024-11-03T02:00:03.642141Z",
			"updated_at": "2026-04-10T02:00:03.735188Z",
			"deleted_at": null,
			"main_name": "UNC5820",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC5820",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/758dcbf5173c54dc4051fcd2bf187379a777ccb5.pdf",
		"text": "https://archive.orkl.eu/758dcbf5173c54dc4051fcd2bf187379a777ccb5.txt",
		"img": "https://archive.orkl.eu/758dcbf5173c54dc4051fcd2bf187379a777ccb5.jpg"
	}
}