Fortinet Discloses Critical Zero-Day Vulnerability CVE-2024-55591

Introduction

Description

Fortinet has disclosed a critical zero-day vulnerability [3] [4], CVE-2024-55591 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], affecting its FortiGate firewalls [3] [6], FortiOS [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and FortiProxy systems [1] [2] [3] [5] [6] [7] [9] [10]. This authentication bypass vulnerability [1] [2] [3] [4] [6] [7] [8] [9] [11], classified as CWE-288, has a CVSS score of 9.8 [1] [3] [10] [11], allowing unauthenticated remote attackers to gain super-admin privileges through specially crafted requests to a Node.js WebSocket module [1] [2] [3] [5] [8] [9]. This exploitation enables unauthorized code execution and the creation of randomly generated administrator or local user accounts on compromised devices. The flaw impacts FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 [3] [5] [6] [7] [10], as well as FortiProxy versions 7.2.0 to 7.2.12 [10].

Since at least mid-November 2024 [8], a significant exploitation campaign has been observed, targeting organizations with publicly exposed management interfaces on FortiGate devices. Initial scans for vulnerabilities were detected as early as November 16, 2024 [2], and attackers have exploited the jsconsole feature of the FortiOS web management interface [2], using spoofed IP addresses to log in as admin [2]. This campaign has involved multiple phases, including scanning [8], reconnaissance [8] [9] [11], unauthorized administrative logins [4] [11], SSL VPN configuration [8] [9] [11], and lateral movement within victim networks [10] [11]. Attackers have been seen creating rogue administrative accounts, modifying firewall policies [10], establishing SSL VPN tunnels [2] [10], and executing DCSync attacks to impersonate domain controllers and obtain user credentials [2]. Notably, attackers have generated six-character alphanumeric Admin and Local user accounts [1], with examples including Gujhmk [1], Ed8x4k [1], G0xgey [1], and Pvnw81 [1]. These accounts can be added to existing SSL VPN user groups or new groups [4], allowing further alterations to firewall policies and settings [4].

Fortinet has confirmed reports of exploitation [11], although the scope and attribution of the attacks remain unclear [11]. To mitigate the risk [3], users are advised to upgrade to FortiOS version 7.0.20 or above [3] [10], FortiProxy version 7.0.20 or above [3] [6] [10], and FortiProxy version 7.2.13 or above [3] [10]. For organizations unable to apply patches immediately [6] [10], it is recommended to disable HTTP/HTTPS administrative interfaces or restrict access using local-in policies [2] [10]. Security researchers emphasize the urgency of disabling firewall management access on public interfaces [4]. Fortinet published a security advisory (FG-IR-24-535) on January 14, 2024 [8], addressing this vulnerability [1] [2] [4] [7] [8] [9] [10], which includes indicators of compromise (IoCs) such as specific IP addresses and log entries, and provides workaround steps for those unable to patch immediately [8] [9]. The most commonly observed attacker IP addresses include 45.55.158.47, 87.249.138.47, 155.133.4.175, 37.19.196.65, and 149.22.94.37 [1].

This situation underscores the importance of timely patching and robust network segmentation practices to mitigate risks associated with zero-day vulnerabilities [10]. Additionally, CVE-2024-55591 is listed in CISA’s Known Exploited Vulnerabilities Catalog [5], and organizations are encouraged to refer to CISA’s BOD 22-01 for further guidance and requirements. Tenable plugins for CVE-2024-55591 are available to help identify affected systems, and Tenable Attack Surface Management can be utilized to locate public-facing Fortinet assets [8]. Various attackers [11], including state-sponsored groups and ransomware gangs, have increasingly targeted Fortinet products [11], highlighting the critical need for enhanced security measures. Analysts recommend limiting access to management interfaces to trusted internal users and monitoring for suspicious activity [6], particularly from VPS hosting IP addresses [6]. Organizations are urged to act urgently if malicious activity is detected [1], contacting the National CSOC for assistance [1]. Federal agencies are required to apply the patch or cease using FortiGate products by February 4, 2025 [7], as mandated by CISA.

Conclusion

The disclosure of CVE-2024-55591 highlights the critical need for organizations to prioritize security updates and implement robust network defenses. Immediate patching and restricting access to management interfaces are essential to mitigate the risks posed by this vulnerability. As attackers continue to exploit such vulnerabilities, organizations must remain vigilant and proactive in their cybersecurity efforts to protect sensitive data and maintain operational integrity.

References

[1] https://digital.nhs.uk/cyber-alerts/2025/cc-4604
[2] https://www.csoonline.com/article/3802722/fortinet-confirms-zero-day-flaw-used-in-attacks-against-its-firewalls.html
[3] https://www.infosecurity-magazine.com/news/fortinet-confirms-critical-zero-day/
[4] https://www.techzine.eu/news/security/127805/fortinet-zero-day-allows-hackers-to-access-corporate-networks/
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-55591
[6] https://www.helpnetsecurity.com/2025/01/14/fortinet-fortigate-zero-day-vulnerability-exploited-cve-2024-55591/
[7] https://www.techradar.com/pro/security/fortinet-warns-a-critical-vulnerability-in-its-systems-could-let-attackers-breach-company-networks
[8] https://www.tenable.com/blog/cve-2024-55591-fortinet-authentication-bypass-zero-day-vulnerability-exploited-in-the-wild
[9] https://securityboulevard.com/2025/01/cve-2024-55591-fortinet-authentication-bypass-zero-day-vulnerability-exploited-in-the-wild/
[10] https://cybersecuritynews.com/fortinet-zero-day-vulnerability-cve-2024-55591/
[11] https://www.techtarget.com/searchSecurity/news/366618095/Attackers-exploiting-critical-Fortinet-zero-day-vulnerability

You may also want to see:

Southampton UK