Zero-Day Vulnerability in Fortinet FortiGate Firewalls

Severity Level: High

Date: 15/01/2025

Ref: CERT/NCSOC/0227

Components Affected

• FortiOS 7.0.0 through 7.0.16
• FortiProxy 7.0.0 through 7.0.19
• FortiProxy 7.2.0 through 7.2.12

Overview

A new authentication bypass zero-day vulnerability was identified in FortiOS and FortiProxy that can be used to exploit Fortinet firewalls and breach enterprise networks. Threat actors are leveraging exposed management interfaces to gain unauthorized administrative access, modify configurations, extract credentials, and move laterally within networks.

Description

An Authentication Bypass vulnerability (CVE-2024-55591) affecting FortiOS and FortiProxy could allow a remote attacker to gain super-admin privileges by sending crafted requests to the Node.js WebSocket module. Threat actors have weaponized this vulnerability to perform malicious actions, including creating admin and local user accounts, setting up new user groups, or adding newly created local users to existing SSL VPN user groups, and modifying firewall policies.

Impact

• Authentication Bypass
• Unauthorized Code or Commands Execution
• Privilege Escalation
• Critical Configurations Modification

Solution/Workarounds

• Before installation of the software, please visit the software vendor's website for more details. Apply fixes issued by the vendor: Fortinet Security Updates
• Disable Public Management Interface Access Immediately – Restrict management interfaces to internal networks.
• Enable Multi-Factor Authentication (MFA) – Strengthen login security.
• Monitor for Anomalous Activity – Look for unusual admin logins or unauthorized configuration changes.

Reference

• The Hacker News

Disclaimer

The information provided herein is on an "as is" basis, without warranty of any kind.