A new threat cluster, UNC5820, has been observed exploiting a zero-day vulnerability in FortiManager appliances across multiple industries. The vulnerability allows unauthorized execution of arbitrary code or commands on vulnerable devices. The attackers staged and exfiltrated configuration data from managed FortiGate devices, potentially enabling further compromise. Exploitation attempts were first detected on June 27, 2024, with a second attempt on September 23, 2024. The threat actor added an unauthorized device to the FortiManager console and exfiltrated compressed archives containing sensitive configuration files. While no evidence of lateral movement has been found, organizations with exposed FortiManager devices are urged to conduct immediate forensic investigations.