A critical security vulnerability affecting Fortinet’s FortiOS and FortiProxy systems has been actively exploited in the wild, allowing attackers to gain super-admin privileges.
The flaw, tracked as CVE-2024-55591, is an authentication bypass vulnerability that leverages crafted requests to the Node.js WebSocket module. It has been assigned a CVSS score of 9.3, highlighting its severity.
The vulnerability impacts FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 as well as 7.2.0 through 7.2.12.
Exploitation allows remote attackers to bypass authentication, obtain super-admin privileges, and execute unauthorized commands on affected devices without user interaction.
Fortinet confirmed the exploitation of this zero-day vulnerability after cybersecurity researchers from Arctic Wolf observed mass exploitation campaigns targeting publicly exposed Fortinet firewalls since November 2024.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Attackers reportedly used the flaw to create rogue administrative accounts, modify firewall policies, and establish SSL VPN tunnels for lateral movement within victim networks.
The attack campaign unfolded in four phases:
- Vulnerability scanning (November 16–23, 2024).
- Reconnaissance (November 22–27, 2024).
- SSL VPN configuration changes (December 4–7, 2024).
- Lateral movement within networks (December 16–27, 2024)
Indicators of Compromise (IoCs)
Fortinet has shared several IoCs to help organizations identify potential breaches:
- Logs showing successful admin logins via the “jsconsole” interface with random source and destination IPs.
- Logs indicating the creation of new admin accounts with randomly generated usernames.
- IP addresses frequently associated with attacks include
45.55.158[.]47,87.249.138[.]47, and others.
Following are the IoCs shared by Arctic Wolf.
| Indicator | Type | Description |
|---|---|---|
| 23.27.140[.]65 | IPv4 Address | – AS149440 – Evoxt Enterprise – SSL VPN client IP address – Web management interface client |
| 66.135.27[.]178 | IPv4 Address | – AS20473 – The Constant Company LLC – SSL VPN client IP address – Web management interface client |
| 157.245.3[.]251 | IPv4 Address | – AS14061 – DigitalOcean LLC – SSL VPN client IP address – Web management interface client |
| 45.55.158[.]47 | IPv4 Address | – AS14061 – DigitalOcean LLC – SSL VPN client IP address – Web management interface client |
| 167.71.245[.]10 | IPv4 Address | – AS14061 – DigitalOcean LLC – SSL VPN client IP address – Web management interface client |
| 137.184.65[.]71 | IPv4 Address | – AS14061 – DigitalOcean LLC – SSL VPN client IP address – Web management interface client |
| 155.133.4[.]175 | IPv4 Address | – AS62240 – Clouvider Limited – SSL VPN client IP address – Web management interface client |
| 31.192.107[.]165 | IPv4 Address | – AS50867 – Hostkey B.V. – SSL VPN client IP address |
| 37.19.196[.]65 | IPv4 Address | – AS212238 – Datacamp Limited – Web management interface client |
| 64.190.113[.]25 | IPv4 Address | – AS399629 – BL Networks – Web management interface client |
Fortinet has released patches to address the vulnerability:
- FortiOS: Upgrade to version 7.0.17 or higher.
- FortiProxy: Upgrade to version 7.2.13 or higher or 7.0.20 or higher.
Organizations unable to immediately apply patches are advised to disable HTTP/HTTPS administrative interfaces or restrict access using local-in policies.
Recommendations
Fortinet urges administrators to:
- Apply updates promptly using their upgrade tool.
- Monitor logs for IoCs.
- Restrict management interface access using local-in policies or trusthost configurations.
This incident underscores the critical need for timely patching and robust network segmentation practices to mitigate risks associated with zero-day vulnerabilities.
For further assistance, organizations are encouraged to contact Fortinet’s customer support or consult their security advisory for detailed mitigation steps.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
