Summary

On Jan. 14, FortiNet released an advisory regarding an authentication bypass in some versions of its FortiOS and FortiProxy products. The bypass was subsequently assigned CVE ID CVE-2024-55591 (CVSS 9.6). This bug can allow a remote attacker to gain super-admin privileges on the appliance, and reportedly has seen exploitation in the wild, though no public PoC is available at time of writing. According to Arctic Wolf Labs, activity appearing to be related to this vulnerability began as early as November 16 and ran through December.

Affected Systems and/or Applications

• FortiOS 7.0.0 – 7.0.16
• FortiProxy 7.0.0 – 7.0.19, 7.2.0 – 7.2.12

FortiOS and FortiProxy versions not mentioned here are una ected by CVE-2024-55591

Technical Details

An Authentication Bypass Using an Alternate Path or Channel vulnerability afecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Threat Actor Post Exploitation Activity

Fortinet’s advisory includes the following examples of post-exploitation behavior.

Following login activity log with random scrip and dstip:

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Following admin creation log with seemingly randomly generated user name and source IP:

type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

The following IP addresses were mostly found used by attackers in the above logs:

• 1.1.1.1
• 127.0.0.1
• 2.2.2.2
• 8.8.8.8
• 8.8.4.4

Please note that the above IP parameters are under attacker control and therefore can be any other IP address. Please note as well that sn and cfgtid are not relevant to the attack.

The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:

• Creating an admin account on the device with random user name
• Creating a Local user account on the device with random user name
• Creating a user group or adding the above local user to an existing sslvpn user group
• Adding/changing other settings (firewall policy, firewall address, …)
• Logging in the sslvpn with the above added local users to get a tunnel to the internal network.

Admin or Local user created by the TA is randomly generated. e.g:

Gujhmk
Ed8x4k
G0xgey
Pvnw81
Alg7c4
Ypda8a
Kmi8p4
1a2n6t
8ah1t6
M4ix9f
...etc...

Additionally, the TA has been seen using the following IP addresses:

• 45.55.158.47 (most used)
• 87.249.138.47
• 155.133.4.175
• 37.19.196.65
• 149.22.94.37

Mitigation and Workarounds

To mitigate CVE-2024-55591, patch to at least the following versions:

• FortiOS: 7.0.17+
• FortiProxy: 7.0.20+, 7.2.13+

The Fortinet advisory also provides the following workaround:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface via local-in policies:

config firewall address
edit "my_allowed_addresses"
set subnet end

Then create an Address Group:

config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1 set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS
set status enable
next

edit 2
set intf "all"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom
edit GUI_HTTPS
set tcp-portrange 443
next

edit GUI_HTTP
set tcp-portrange 80
end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Please note that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.

Please contact customer support for assistance.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Additionally, we are starting a threat hunting campaign based on hallmarks of exploitation and post-exploitation behavior associated with last year’s exploitation campaign.

• Qualys ID: 44501
• Tenable ID: https://www.tenable.com/plugins/nessus/214072

References

• https://www.fortiguard.com/psirt/FG-IR-24-535
• https://www.cve.org/CVERecord?id=CVE-2024-55591
• https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/

‍