A critical vulnerability identified as CVE-2024-55591 (CVSS 9.6) is actively being exploited in the wild, posing a severe risk to Fortinet’s FortiOS and FortiProxy products. This authentication bypass flaw allows remote attackers to gain super-admin privileges via carefully crafted requests targeting the Node.js WebSocket module.
CVE-2024-55591 is classified as an Authentication Bypass Using Alternate Path or Channel (CWE-288) vulnerability. Exploiting this flaw enables attackers to:
- Create super-admin accounts with full control over devices.
- Alter system configurations, including firewall policies and user group settings.
- Establish a secure VPN tunnel to access internal networks.
The vulnerability affects specific versions of FortiOS and FortiProxy, with impacted systems including FortiOS 7.0.0–7.0.16 and FortiProxy 7.0.0–7.0.19 and 7.2.0–7.2.12. Fortinet has released patched versions (FortiOS 7.0.17 and FortiProxy 7.2.13) to mitigate this threat.
The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:
- Creating an admin account on the device with random user name
- Creating a Local user account on the device with random user name
- Creating a user group or adding the above local user to an existing sslvpn user group
- Adding/changing other settings (firewall policy, firewall address, …)
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.
System administrators should look for the following suspicious log entries and behaviors:
- Random Admin Creation Logs:
- Login Activity from Known Attacker IPs: Frequent IPs include 45.55.158.47 [most used IP address], 87.249.138.47, 155.133.4.175, 37.19.196.65, and 149.22.94.37.
- Administrative Actions:
- Randomly generated admin usernames like Gujhmk, Ed8x4k, G0xgey, Pvnw81, Alg7c4….
- Creation of local users and groups or modification of firewall policies.
Mitigation Steps
- Patch Immediately: Upgrade to the latest versions:
- FortiOS: 7.0.17 or higher
- FortiProxy: 7.2.13 or higher. Visit Fortinet’s Upgrade Tool for guidance.
- Restrict Access: Disable HTTP/HTTPS administrative interfaces or restrict access using local-in policies:
- Monitor Logs: Regularly audit system logs for anomalous activity, including unusual login attempts and configuration changes.
- Enhance Security:
- Use strong passwords and enforce Multi-Factor Authentication (MFA).
- Limit administrative access to trusted IP ranges.
Related Posts:
- PoC Releases for 0-day CVE-2024-21762 FortiGate SSLVPN Flaw, Over 133K Remain Vulnerable
- CVE-2024-21762 (CVSS 9.6): FortiOS SSL-VPN Zero-Day Pre-Auth RCE Flaw
- Fortinet Issues Urgent Security Patches for Critical Vulnerabilities
- CVE-2023-25610: Critical vulnerability affects FortiOS/FortiProxy
- CVE-2023-33308: Fortinet Patches Critical RCE Vulnerability in FortiOS/FortiProxy