Fortinet Urges Immediate Action to Address Critical Authentication Bypass Vulnerability

Critical Zero-Day Exploit in Fortinet Devices Grants Super-Admin Privileges

Fortinet has disclosed a severe zero-day vulnerability, CVE-2024-55591, affecting its flagship FortiOS and FortiProxy products. The flaw, which has been actively exploited in the wild, allows remote attackers to bypass authentication mechanisms and gain super-administrative privileges. This critical vulnerability has been widely discussed among security professionals and is already being exploited to carry out a variety of attacks, from creating new administrative accounts to altering firewall settings.

Vulnerability Overview

CVE-2024-55591 stems from an authentication bypass in FortiOS and FortiProxy, affecting versions 7.0.0 through 7.0.16 of FortiOS and 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 of FortiProxy. The vulnerability arises from a flaw in the Node.js WebSocket module used in the management interface of these devices. An attacker can send crafted requests to the affected WebSocket endpoint, bypassing authentication and gaining super-admin access to the device.

This vulnerability is considered critical, with a CVSS score of 9.8, making it a prime target for cybercriminals looking to infiltrate corporate networks. Fortinet has confirmed that the flaw is being actively exploited in the wild, with reports of attackers leveraging it to perform a wide range of malicious activities.

Exploitation Details

Researchers have observed that attackers exploiting CVE-2024-55591 often begin by creating unauthorized administrator accounts with randomly generated usernames. These accounts are then used to modify device settings, including adding local user accounts to SSL VPN user groups and altering firewall policies. In some cases, attackers have successfully established tunnels to internal networks through the SSL VPN, potentially compromising sensitive information and systems.

Security firm Arctic Wolf first uncovered the attacks earlier this month, noting that attackers were targeting FortiGate firewall devices with exposed management interfaces. The vulnerability allowed attackers to bypass authentication and carry out these actions without needing to know valid admin credentials.

Root Cause and Affected Products

The flaw exists within the jsconsole functionality, a graphical user interface (GUI) feature that allows administrators to execute command-line interface (CLI) commands inside FortiOS's management interface. The weakness in this functionality lets attackers add new administrative accounts, effectively compromising the device.

The vulnerability affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Fortinet has advised customers to upgrade their systems to the latest patched versions as soon as possible.

Mitigation and Recommendations

Fortinet has issued patches for the affected products, urging users to upgrade to the following versions:

• FortiOS: 7.0.17 or higher
• FortiProxy: 7.0.20 or higher (for versions 7.0.0–7.0.19) and 7.2.13 or higher (for versions 7.2.0–7.2.12)

For users unable to apply the patches immediately, Fortinet has published a set of recommended workarounds. These include disabling HTTP/HTTPS administrative access or limiting access to the management interface by using local-in policies. Organizations are also advised to review their firewall configurations to restrict administrative access to only trusted IP addresses.

Additional Security Measures

In addition to patching, Fortinet has recommended changing default administrator usernames and enforcing strong password policies to mitigate brute-force attempts. While the vulnerability does not require attackers to know a valid admin username, using non-standard usernames can add a layer of protection.

Organizations should also monitor their logs for suspicious activity related to this vulnerability. Indicators of compromise (IoCs) include unusual login attempts, creation of admin accounts with random usernames, and modifications to firewall settings or VPN configurations.

A Growing Threat Landscape

The discovery of CVE-2024-55591 highlights the growing threat to network security appliances, especially those exposed to the public internet. As organizations continue to rely on firewalls and VPNs for secure remote access, vulnerabilities like these present significant risks, not just to the devices themselves but to the broader corporate network they protect.

The vulnerability’s high CVSS score and the fact that it’s actively being exploited in the wild underline the urgency for organizations to patch their systems immediately. Failure to do so could leave them open to devastating attacks, including data breaches, internal network compromise, and further exploitation.

Conclusion

Fortinet’s disclosure of CVE-2024-55591 serves as a reminder of the importance of timely patching and proactive security measures. As the cybersecurity landscape continues to evolve, organizations must remain vigilant in securing their networks and devices to defend against sophisticated attacks.

For more information, Fortinet has published a full security advisory and detailed instructions on mitigating the vulnerability. Customers are encouraged to follow these guidelines and seek support from Fortinet’s customer service teams if needed.