
Critical Fortinet Zero-Day CVE-2024-55591 Actively Exploited: Urgent Patching Required
A newly discovered zero-day vulnerability in Fortinet’s FortiOS and FortiProxy products, tracked as CVE-2024-55591, is being actively exploited, allowing attackers to gain super-admin privileges. This critical flaw carries a CVSS score of 9.6, raising serious concerns for organizations relying on Fortinet’s security solutions.
Understanding the Vulnerability
The flaw originates from an authentication bypass issue in the Node.js WebSocket module within FortiOS’s management interface. By sending specially crafted WebSocket requests, attackers can circumvent authentication mechanisms and gain unauthorized super-admin access to vulnerable systems.
Once exploited, this access allows adversaries to:
Create new administrative accounts.
Modify firewall policies.
Establish Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels for deeper infiltration into internal networks.
Active Exploitation in the Wild
According to Arctic Wolf researchers, the vulnerability was first observed being actively exploited in mid-November 2024. Attackers targeted exposed management interfaces of FortiGate firewalls, leveraging the jsconsole feature—a GUI-based tool for executing CLI commands within FortiOS.
PoC Exploit Released
Security researchers at watchTowr Labs have published a Proof-of-Concept (PoC) report, confirming that CVE-2024-55591 is more than just an authentication bypass. It is a chain of multiple issues, making it a particularly dangerous exploit.
The attack chain involves:
Establishing WebSocket connections via pre-authenticated HTTP requests.
Using a local_access_token parameter to bypass session checks.
Exploiting a race condition between WebSocket and Telnet CLI processes.
Manipulating authentication flows to gain privileged access as super_admin.
super_admin login
Indicators of Compromise (IoCs)
Organizations should monitor for signs of exploitation, including:
Unusual administrative account creation.
Suspicious login activity from IP addresses like 127.0.0.1 and 8.8.8.8.
Attackers creating random usernames and adding them to admin or SSL VPN groups.
Affected Versions
The vulnerability affects the following versions:
FortiOS: Versions 7.0.0 through 7.0.16.
FortiProxy: Versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.
Secure versions include:
FortiOS: 7.0.17 or higher.
FortiProxy: 7.0.20 or higher.
Mitigation and Remediation
Fortinet has released patches on January 14, 2025, addressing this critical flaw. Organizations should immediately update to:
FortiOS: Version 7.0.17 or later.
FortiProxy: Version 7.0.20 (7.0 branch) or 7.2.13 (7.2 branch).
For organizations unable to patch immediately, the following security measures are recommended:
Disable public access to HTTP/HTTPS management interfaces.
Restrict access to administrative interfaces using local policies to limit IP ranges.
Monitor logs for Indicators of Compromise (IoCs) and suspicious activity.
Why This Matters
The exploitation of CVE-2024-55591 highlights the growing risks associated with network security devices, particularly firewalls and VPNs—critical infrastructure components often exposed to the internet. The vulnerability has already been added to CISA’s Known Exploited Vulnerabilities Catalog, signaling its widespread impact.
With nearly 50,000 vulnerable instances reported globally, organizations must act swiftly to patch affected systems and implement proactive security measures to mitigate this critical threat.
Take action now: Apply patches, secure management interfaces, and stay vigilant against emerging threats.
Comments