15 January 2025 [NO.TCSA : 20250115-1-1-E]
Attackers are exploiting a newly discovered authentication bypass vulnerability in FortiOS and FortiProxy, enabling them to compromise Fortinet firewalls and infiltrate enterprise networks. This critical vulnerability allows remote attackers to gain super-admin privileges by sending malicious requests to the Node.js WebSocket module, which is part of the system’s architecture. The security flaw is designated with CVE-2024-55591 and has 9.8 (Critical) CVSSv3 score.
Upon successful exploitation, attackers create unauthorized admin or local user accounts on the compromised devices. These accounts are either added to existing SSL VPN user groups or placed in newly created groups, giving them persistent and elevated access to the affected systems. This enables them to not only take over the devices but also maintain access to the broader network, posing a severe security risk to enterprises using Fortinet solutions.
The vulnerability impacts the following versions of FortyOS and FortyProxy:
Fortinet also advised admins to disable the HTTP/HTTPS administrative interface or limit what IP addresses can reach the administrative interface via local-in policies as a workaround.
TechCERT strongly encourages the application of these updates immediately.
