Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products. The vulnerability may allow a remote attacker to gain super_admin privileges via crafted requests to the Node.js websocket module. The vulnerability is currently being exploited in the wild.

Background

On January 14, 2025, Fortinet disclosed CVE-2024-55591, a critical vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an "Authentication Bypass Using an Alternate Path or Channel" vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication. Successful exploitation may provide super_admin privileges, granting full access, including the ability to manage system administrators and execute unauthorised code or commands.

Fortinet has released patches addressing the vulnerability and urges customers to apply them to secure their systems. Organisations should also review system logs for Indicators of Compromise (IOCs) and consider implementing additional security measures, such as enhanced monitoring and network segmentation, to detect and prevent unauthorised access. Further recommendations are described in the "Recommendations" section.

CVE-2024-55591 is actively being exploited, and potentially related activity has been observed since mid-November 2024. This possibility underscores the importance for organisations using vulnerable FortiOS and FortiProxy products to prioritise patching and review their security posture to mitigate potential risks associated with this vulnerability.

Threat Intelligence assessment

Activity possibly associated to CVE-2024-55591 dates back to November 16, 2024, suggesting that adversaries may have been aware of the vulnerability for nearly two months. mnemonic has not identified any publicly available Proof of Concept (POC) code for this vulnerability. Although no attribution has been made public, the observed campaign appears to be opportunistic. As mentioned earlier, the vulnerability is actively being exploited in the wild. The exploitation techniques used are likely to be adopted by other adversaries as more technical details and POC code become available.

Affected systems

The following versions are vulnerable to CVE-2024-55591:

• FortiOS 7.0 - 7.0.0 through 7.0.16
• FortiProxy 7.2 - 7.2.0 through 7.2.12
• FortiProxy 7.0 - 7.0.0 through 7.0.19

Recommendations

mnemonic recommends to upgrade the affected systems to mitigate the risks associated with the vulnerability. Further, we advise to use the upgrade tool provided by Fortinet to follow the recommended upgrade path.

This involves upgrading the following versions:

• FortiOS 7.0 - Upgrade to 7.0.17 or above
• FortiProxy 7.2 - Upgrade to 7.2.13 or above
• FortiProxy 7.0 - Upgrade to 7.0.20 or above

If patching is not possible at the current time, the vendor has provided workarounds that can be applied to temporarily reduce risks associated with the vulnerability:

• Disable HTTP/HTTPS administrative interface
• Alternatively, limit IP addresses that can reach the administrative interface via local-in policies

More details regarding these workarounds can be found on FortiGuard's website, including commands to perform policy changes.

As a general recommendation, mnemonic strongly advises against exposing administration interfaces of appliances directly on the Internet.

Detection coverage for Argus Managed Detection & Response (MDR) customers

mnemonic is actively implementing detection logic for the exploitation IOCs as new information becomes available. In addition, mnemonic is also conducting retrospective hunting on known IOCs and campaign TTPs in our customers' telemetry. Detection plugins for the vulnerability are implemented for Argus Continuous Vulnerability Monitoring customers.