Fortinet has alerted customers to four new indicators of compromise (IoCs) related to a widely exploited zero-day vulnerability in its FortiManager network and security management tool. The critical vulnerability, CVE-2024-47575, was first disclosed last week and is being actively exploited in the wild, affecting a variety of organizations across multiple sectors. With a CVSS score of 9.8, this vulnerability allows remote, unauthenticated attackers to execute arbitrary commands, potentially leading to data theft.
Fortinet and security researchers, including Mandiant, have been monitoring exploitation patterns, noting that at least 50 organizations have already been impacted in what’s described as a “mass exploitation” event. While Fortinet initially released workarounds to address the vulnerability, the discovery of additional IoCs highlights an evolving threat landscape. As a precaution, the Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts, urging impacted organizations to apply Fortinet’s mitigations.
Despite these efforts, more than 4,000 FortiManager admin portals remain publicly exposed, according to security firm Censys. This broad exposure persists even as organizations attempt to patch and limit access to their devices. Fortinet, collaborating with CISA, continues to stress the importance of applying patches and workarounds, warning that delaying remediation could allow attackers to leverage the vulnerability for data theft, including IP addresses, credentials, and FortiGate configuration data managed by compromised FortiManager systems.