Critical Zero-Day Vulnerability Exploited in Fortinet Devices

A zero-day vulnerability has been identified and actively exploited in Fortinet´s security appliances that would let the threat actors compromise firewalls and infiltrate enterprise networks.
The vulnerability, tracked as CVE-2024-55591, affects multiple versions of FortiOS and FortiProxy and allows attackers to bypass authentication and gain super-admin privileges.
This in-depth analysis looks at the details of this threat, why it matters, and what organizations can do to protect their systems.
The Vulnerability: CVE-2024-55591
The CVE-2024-55591 authentication bypass vulnerability affects the following versions of the software:
- FortiOS: Versions 7.0.0 to 7.0.16.
- FortiProxy: Versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12.
The flaw is an authentication bypass in Node.js WebSocket enabling remote attackers to send specially crafted requests, thereby granting super-admin privileges.
By exploiting this vulnerability, attackers could penetrate an organization’s network and change configurations to steal sensitive data subsequently.
Active Exploitation Campaigns
Observed Activities
In mid-November, threat actors reportedly started to leverage CVE-2024-55591 for the compromise of Fortinet firewalls since 2024.
Attackers create an admin account with a random name and add it to one of the existing or new SSL VPN user groups, thus enabling secure tunnels into internal networks.
The firewall configurations have also been manipulated to enable lateral movement into the compromised environment and maintain persistence.
They used tools, including DCSync, to dump credentials from these systems, increasing the magnitude of these attacks accordingly.
Campaign Timeline
The attack campaign has gone through four distinct phases so far: vulnerability scanning (November 16–23, 2024), reconnaissance (November 22–27, 2024), the configuration of SSL VPNs (December 4–7, 2024), and lateral movement (December 16–27, 2024).
These phases of the campaign continue, meaning other malicious activities may surface. This approach is, in fact, systematic, starting from identifying vulnerable devices, then collecting intelligence, exploiting the vulnerability, and finally expanding access across networks.
Also Read: Check Point Alerts Users to Zero-Day Attacks on Their VPN Gateway Products
Indicators of Compromise (IOCs)
Fortinet and Arctic Wolf have shared significant compromise indicators to help organizations detect potential exploitation.
Logs that characterize malicious admin logins via the jsconsole interface or create randomly named admin users are crucial in marking compromise.
For instance, one log entry shows an unauthorized admin login through the jsconsole interface with a success message.
Another log indicates the creation of rogue admin accounts with random usernames. That being said, attackers usually develop specific IP addresses—like 1.1.1.1, 127.0.0.1, and 8.8.8.8—during their campaigns, which can act as red flags for detection purposes.
Fortinet’s Response
Mitigation Guidance
To mitigate CVE-2024-55591, Fortinet proposed vital recommendations to the administrators to disable HTTP/HTTPS administrative interfaces or restrict access to specific IP addresses via local-in policies.
The study also noted the necessity of applying the latest security patches to address that vulnerability and protect devices from exploitation.
Organizations should also establish syslog monitoring functions for anomaly detection to provide an early warning of malicious actions.
Related Vulnerabilities
Fortinet has dealt with other significant vulnerabilities, like CVE-2023-37936, which has an undefined criticality cutoff for this particular hard-coded cryptographic key flaw, which allowed unauthorized code execution.
Other exploits underscore the same pointer, such as the somewhat relatively unobtrusive FortiJump vulnerability (CVE-2024-47575) and an unprotected FortiClient VPN flaw allegedly being exploited by Chinese hackers, thereby prescribing the urgency of pre-emptive management of such later disclosures and the adoption of adequate security measures.
Implications for Organizations
The exploitation of CVE-2024-55591 represents the growing risk the vulnerabilities in network security appliances could pose. Devices such as Fortinet firewalls make attractive targets for attackers because they perform foundational work in enterprise security.
Once these devices are compromised, information at rest becomes vulnerable, and critical infrastructure will be at the mercy of attackers.
Also Read: Check Point Alerts Users to Zero-Day Attacks on Their VPN Gateway Products
This stewardship shows that this operation of exploitative actions is going after devices having management interfaces exposed to the Internet, thereby increasing their target surface and putting them at risk of attack.
Attributing to those attacks takes excellent effort from the adversary because the differences in the tradecraft and infrastructure show several threat actors might get involved.
This complexity reinforces why such organizations must build an active, multi-layered defense comprising continuous monitoring, threat intelligence, and response capability.
Recommendations for Organizations
Patch Immediately
Organizations must take care to ensure security patches are applied to Fortinet devices.
If the firmware is not updated, the system will be unprotected against exploitation, as most attackers intentionally target unpatched systems since they have IOCs and known vulnerabilities.
Limit Exposure
Limiting access to management interfaces to trusted internal networks will help reduce the attack surface. The admin must be able to disable any public management interface where possible and enforce stringent access control policies to restrict unauthorized access.
Enhance Monitoring
By proactively monitoring system logs for unusual activities, such as unauthorized jsconsole logins and creation of rogue admin accounts, one can catch a potential intruder early.
The organization should use threat intelligence to correlate its observed behaviors with known attack patterns and respond quickly.
Improve Incident Response
Organizations should establish and test their incident response plans from time to time to be prepared for zero-day exploits. Tabletop exercises simulating different possible attack scenarios would help teams spot defense gaps and enhance their response capabilities.
Educate Teams
One of the most crucial aspects of securing network devices is training the IT staff to recognize signs of compromise and understand best practices for securing network devices.
Ultimately, with knowledge of emerging threats and proactive security measures, the ability to better withstand sophisticated attacks can be significantly enhanced.
Conclusion
With cyber threats becoming increasingly sophisticated, securing your infrastructure using robust Public Key Infrastructure (PKI) solutions is essential. Certera offers cutting-edge PKI Solutions and SiteLock Services designed to fortify your organization against vulnerabilities.