A vulnerability has been identified in Fortinet’s FortiOS and FortiProxy products. The vulnerability could allow for authentication bypass and super-admin privilege acquisition. The vulnerability (CVE-2024-55591) has a Critical CVSSv3.1 score of 9.8 out of 10.
Description:
The vulnerability lies in the Node.js websocket module on the products’ HTTP/S administrative interface, allowing attackers to craft malicious requests which create new arbitrary admin accounts under their control.
Especially of concern to organizations that could be vulnerable is that Fortinet and cybersecurity research companies have confirmed active mass exploitation campaigns based on the vulnerability have been taking place by threat actors “in the wild” since at least November.
The timeline of exploitation for the campaign has been shown to generally follow the timeline below:
- Creating admin accounts with random usernames under attacker control.
- Adding local users and integrating them into existing SSL VPN user groups.
- Device configuration such as firewall policy changes.
- VPN tunnel establishment using SSL VPNs with compromised accounts to enter internal networks.
Prompt patching is strongly advised.
Affected Versions:
FortiOS versions 7.0.0 through 7.0.16, and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12, are all vulnerable to the attack.
Recommendations:
- Promptly update vulnerable installations.
- Follow the Fortinet PSIRT advisory for more information, determining exploitation, and workarounds: https://www.fortiguard.com/psirt/FG-IR-24-535.
- Ensure automatic updates are enabled for future instances whenever possible.
