BleepingComputer reports that more than 50 Fortinet FortiManager appliances have already been compromised by the threat actor UNC5820 in attacks exploiting the FortiJump zero-day flaw, tracked as CVE-2024-4755, since late June.
Impacted FortiGate devices had their configuration data, user information, and FortiOS256-hashed credentials exfiltrated as a result of the intrusions, a report from Google Cloud Mandiant showed. "This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment," said Mandiant researchers, who noted lacking evidence suggesting additional payload deployment, system file tampering, or lateral network movement using the stolen data. Such findings come less than a day after Fortinet publicly disclosed the active exploitation of the vulnerability, which is a missing authentication issue in the FortiGate to FortiManager Protocol API, in zero-day intrusions. Organizations using the impacted devices have already been privately informed about the issue 10 days prior.