Critical RCE in Fortinet FortiManager Exploited by Chinese APT Group
A critical unauthenticated RCE vulnerability in FortiManager is being exploited by a Chinese-nexus threat actor to compromise managed Fortinet devices across government and defense networks.
CVE References
Affected
What happened: Fortinet disclosed a critical unauthenticated remote code execution vulnerability in FortiManager that is under active exploitation. Mandiant attributed the exploitation campaign to a Chinese-nexus advanced persistent threat group tracked as UNC5221, which has been leveraging the vulnerability to gain control of FortiManager instances and subsequently push malicious configurations to managed FortiGate firewalls. The attackers used this centralized management access to establish persistent backdoor access across victim networks.
Technical details: CVE-2025-36012 is a deserialization vulnerability in the FortiManager FGFM (FortiGate-to-FortiManager) protocol handler. An attacker can send specially crafted FGFM messages to the FortiManager service without authentication, triggering unsafe deserialization that leads to remote code execution as root. Post-exploitation, the threat actor was observed registering rogue FortiGate devices with the compromised FortiManager, then using the management plane to push configuration changes to legitimate managed firewalls, including adding administrative accounts, enabling remote access, and modifying firewall rules to allow attacker traffic.
Who is affected: Organizations using FortiManager for centralized Fortinet device management. Government agencies, defense contractors, and critical infrastructure operators are particularly targeted. The impact is amplified because compromising FortiManager gives the attacker the ability to control all managed FortiGate devices, potentially affecting network perimeters across an entire organization.
What defenders should do: Patch FortiManager immediately. Restrict FGFM protocol access to only known FortiGate device IP addresses. Audit managed FortiGate devices for unauthorized configuration changes, new admin accounts, or modified firewall rules. Review FortiManager logs for unauthorized device registrations. If compromise is suspected, rebuild FortiManager from scratch and re-establish trust with managed devices using new certificates.
Broader implications: The compromise of centralized management platforms like FortiManager represents a force-multiplier for threat actors, turning a single vulnerability into network-wide access. This follows the pattern seen with SolarWinds and other management plane attacks. Organizations must treat network management infrastructure with the highest security priority and consider out-of-band monitoring for detecting unauthorized changes pushed through management channels.
Sources