Executive Summary

As of January 14, 2025, CVE-2024-55591 has been identified as a critical zero-day vulnerability affecting FortiOS and FortiProxy systems. This authentication bypass flaw allows unauthenticated, remote attackers to gain super-admin privileges by sending specially crafted requests. The vulnerability has been actively exploited in the wild, posing a severe threat to organizations utilizing these Fortinet products. The vulnerability was first observed in active exploitation campaigns since November 2024, making it imperative for organizations to address this security flaw urgently.

Impact Assessment

The exploitation of CVE-2024-55591 can lead to unauthorized access to critical network resources, potentially allowing attackers to conduct further malicious activities such as data exfiltration, network disruption, and the deployment of additional malware. The critical nature of the vulnerability, reflected in its CVSSv3 score of 9.6, indicates the potential for significant impact on affected organizations, particularly those with inadequate security measures in place.

Threat Actor Details

While specific advanced persistent threat (APT) groups have not been explicitly linked to this vulnerability, the sophisticated nature of the exploitation techniques, including the creation of admin accounts and the use of specific IP addresses for unauthorized access, suggests involvement by organized and technically proficient threat actors. These actors may target sectors that rely heavily on Fortinet solutions, including finance, healthcare, and government, across various global regions.

Technical Details and IOCs

CVE-2024-55591 affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The vulnerability is exploited by sending crafted requests to either the Node.js websocket module or via CSF proxy requests, bypassing existing authentication mechanisms. Indicators of Compromise (IoCs) include unusual admin logins from IP addresses such as 1.1.1.1 and 127.0.0.1, creation of admin accounts with random usernames, and malicious activity from IPs like 45.55.158.47 and 87.249.138.47.

Affected Systems and Services

The systems affected by CVE-2024-55591 include FortiOS and FortiProxy installations that have not been updated to the latest patched versions. Organizations running these versions are at risk of exploitation and should prioritize upgrading to the latest secure releases as soon as possible to mitigate this risk.

Timeline of Events

• November 2024: Initial detection of suspicious activity related to the zero-day vulnerability.
• January 14, 2025: Public disclosure of the vulnerability by Fortinet through a security advisory.
• February 11, 2025: Fortinet updates its advisory to include an additional CVE and acknowledges contributions from security researchers.

Prioritized Mitigation Steps

Organizations should immediately upgrade FortiOS to version 7.0.17 or above and FortiProxy to version 7.0.20 or above. As interim measures, disable HTTP/HTTPS administrative interfaces, limit access through local-in policies, and use non-standard admin usernames. It is also advisable to disable the Security Fabric feature from the command line interface using

Detection Methods

Security teams should monitor system logs for unauthorized admin access attempts, particularly from the identified malicious IP addresses. Implementing network intrusion detection systems (NIDS) can aid in identifying abnormal traffic patterns indicative of exploitation attempts. Regularly reviewing logs for the creation of unexpected admin accounts is also crucial.

References and Advisories

For further details on mitigation and technical specifics, refer to the Fortinet Security Advisory (https://www.fortiguard.com/psirt/FG-IR-24-535) and the Arctic Wolf blog post detailing the exploitation campaign. Additionally, Fortinet credits Sonny of watchTowr for the discovery of a related vulnerability, demonstrating the collaborative effort in addressing this critical issue.

About Rescana

At Rescana, we empower organizations to manage third-party risks effectively with our comprehensive TPRM platform. Our solutions help identify vulnerabilities related to vendor systems, providing actionable insights to enhance your cybersecurity posture. For inquiries regarding this report or any other cybersecurity concerns, please reach out to us at ops@rescana.com.