Fortinet Warns Users to Beware of Zero-Day Vulnerabilities Already Exploited

CVE-2024-55591 Vulnerability: Authentication Bypass Threat Impacting FortiOS and FortiProxy

CVE-2024-55591 is an Authentication Bypass vulnerability affecting FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.79 and 7.2.0 to 7.2.12. This vulnerability allows attackers to send malicious requests to the Node.js WebSocket, granting themselves super-admin privileges.

Attack Patterns

According to observations from Fortinet and cybersecurity experts at Arctic Wolf, attackers exploiting this vulnerability exhibit the following behaviors:

  1. Randomly creating admin or local user accounts
  2. Adding these accounts to existing or newly created SSL VPN user groups
  3. Modifying Firewall Policies and other configurations

Timeline of Attacks

Arctic Wolf has analyzed and categorized the attack timeline into four distinct phases:

  1. Vulnerability Scanning (Nov 16–23, 2024)
    • Attackers began by scanning for vulnerable devices.
  2. Reconnaissance (Nov 22–27, 2024)
    • Attackers gathered information on the target systems in preparation for the attack.
  3. SSL VPN Configuration (Dec 4–7, 2024)
    • Admin accounts were added to the system.
  4. Lateral Movement (Dec 16–27, 2024)
    • Attackers expanded control to other systems.

Attack Behaviors and IOC

  • Randomized usernames and IP addresses for both source and destination
  • Utilization of tools like jsconsole for attack execution
  • Logs revealing unusual activities, such as changes to admin-level accounts

Mitigation Recommendations

Currently, Fortinet recommends the following measures to mitigate this vulnerability:

  1. Disable HTTP/HTTPS access for administrative interfaces.
  2. Restrict IP addresses that can access the administrative interface through Local Policy.

Credit: BleepingComputer

Related documents

Who to contact