Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation
Summary
Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products.
A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2024-55591 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.
The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Authentication Bypass Vulnerability | CVE-2024-55591 | FortiOS and FortiProxy | Critical |
Technical Summary
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.
Impact by Region (Unpatched Devices)
- Asia: 20,687 devices
- North America: 12,866 devices
- Europe: 7,401 devices
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-55591 | FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12 | Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges. | Unauthorized administrative access, credential extraction, and lateral movement. |
Remediation:
- Upgrade Firmware:
- FortiOS: Update to version 7.0.17 or latest
- FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
- Restrict Administrative Interface Access:
- Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
- Enable Multi-Factor Authentication (MFA):
- Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
- Monitor Suspicious Activities:
- Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.
Conclusion:
The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.
References:
- https://www.fortiguard.com/psirt
- https://cybersecuritynews.com/50000-fortinet-firewalls-remain-vulnerable-to-critical-zero-day-exploit/
- https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-19&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&geo=all&data_set=count&scale=log
Hashtags