Published: 18 January 2025
Prepared by: Joel D'Souza, Technical Customer Success Manager
Purpose
The purpose of this bulletin is to address the recently disclosed CRITICAL-risk vulnerabilities present in FortiNet FortiOS and FortiProxy. As this vulnerability is under active exploitation by threat actors and it allows potential attackers to gain super-admin privileges, the Triskele Labs team advises that all organisations using affected versions of FortiOS and FortiProxy should follow the remediation steps outlined in the subsequent sections.
On January 15th, 2025, the Australian Cyber Security Centre (ACSC) had released a vulnerability disclosure focused on CVE-2024-55591, with the recommendation that all organisations should patch the affected devices.
A workaround for this vulnerability was also provided which involves disabling the HTTP/HTTPS administrative interface or using IP blocking to limit IP addresses that can reach the administrative interface.
On January 14th, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, as they had seen evidence of active exploitation.
Vulnerability details
On January 14th, 2025, FortiGuard Labs published a vulnerability disclosure (FG-IR-24-535) reserved as CVE-2024-55591, impacting several versions of FortiOS as listed below.
| FortiOS 7.0 |
7.0.0 through 7.0.16 |
| FortiProxy 7.2 |
7.2.0 through 7.2.12 |
| FortiProxy 7.0 |
7.0.0 through 7.0.19 |
The identified vulnerability leverages an alternate path attack vector to bypass authentication to gain super-admin privileges using specially crafted requests targeting the Node.js websocket module.
A Proof-of-Concept has not been publicly released for exploiting this vulnerability.
Impact
The attack paths for this vulnerability could be used to create administrative accounts, modify configuration to increase attack surface, grant VPN access to unauthorised users and perform data exfiltration.
Due to the criticality of these vulnerabilities and their active exploitation, devices using affected versions of FortiOS and FortiProxy should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data.
Mitigation actions
If you are utilising an instance of FortiOS or FortiProxy listed as impacted by this vulnerability, Triskele Labs recommends reviewing the firewall logs for unusual activity.
Triskele Labs recommends upgrading to the latest version of FortiOS or FortiProxy immediately to ensure permanent mitigation. The upgrade paths below, provided by FortiGuard Labs, can be used to mitigate this vulnerability using their tool located at https://docs.fortinet.com/upgrade-tool
| FortiOS 7.0 |
7.0.0 through 7.0.16 |
upgrade to 7.0.17 or above |
| FortiProxy 7.2 |
7.2.0 through 7.2.12 |
upgrade to 7.2.13 or above |
| FortiProxy 7.0 |
7.0.0 through 7.0.19 |
upgrade to 7.0.20 or above |
A temporary workaround for CVE-2024-55591 can be implemented by disabling the HTTP/HTTPS administrative interface or using IP blocking to limit IP addresses that can reach the administrative interface.
For updated guidance to successfully perform this workaround, please refer to the bulletin provided by FortiGuard Labs located at https://www.fortiguard.com/psirt/FG-IR-24-535.
Detection capabilities
Currently detection logic to assess this vulnerability has been released by Rapid7 and Qualys, and other leading vulnerability scanning platforms. Qualys customers can scan their devices using QID 44501 to assess potentially affected devices.
FortiGuard Labs have also provided possible Indicators of Compromise (IoCs) on their bulletin.
Triskele Labs DefenceShield customers with Assess (our Vulnerability Scanning service) are being assessed currently. All customers with our Monitor (our 24x7x365 SIEM) are - as always - being monitored for IOCs and Lateral Movement.
References
