Fortinet has recently addressed a critical authentication bypass vulnerability, identified as CVE-2024-55591, that has been exploited by attackers as a zero-day to compromise publicly-exposed FortiGate firewalls. The vulnerability affects FortiOS firewalls and FortiProxy web gateways, allowing remote attackers to gain super-admin privileges through crafted requests to Node.js websocket module, ultimately enabling them to execute unauthorized code or commands.
Acknowledging the in-the-wild exploitation of this vulnerability, Fortinet released a security advisory that included indicators of compromise such as IP addresses, log entries, created users, and a list of operations conducted by the threat actor. This information aligns with findings from Arctic Wolf researchers who detailed an attack campaign involving unauthorized administrative logins, account creations, and SSL VPN authentication that began in mid-November. It is now confirmed that the attackers leveraged the CVE-2024-55591 vulnerability for these malicious activities.
The critical vulnerability impacts FortiOS versions 7.0.0 through 7.0.16, along with FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Users have been urged to update to fixed versions (FortiOS 7.0.17 or above, FortiProxy 7.2.13 or above), or apply workarounds if immediate updates are not feasible, such as removing the firewall’s web-based management interface from the public internet.
Arctic Wolf researchers revealed that the attack campaign unfolded in four distinct phases, beginning with automated vulnerability scanning and zero-day exploitation. Subsequent phases involved reconnaissance, creation of new accounts with super admin privileges, and SSL VPN manipulations. Fortunately, the threat actors were removed from affected environments before progressing further, although the ultimate intentions behind the attacks remain uncertain.
In response to the escalating threat landscape posed by state-sponsored hackers targeting corporate networks through zero-day and n-day vulnerabilities, organizations are advised to enhance security measures. Specifically, management interfaces should not be publicly exposed, and access should be restricted to trusted internal users. Monitoring for suspicious activities, such as jsconsole events and unexpected logins from VPS hosting IP addresses, can help detect and mitigate potential threats.
Fortinet has been actively engaging with customers to provide guidance on mitigating risks associated with CVE-2024-55591. The company emphasizes the importance of timely patching, network monitoring, and following the guidelines outlined in their advisory. Collaboration with government agencies and threat research organizations continues to strengthen the response efforts against evolving cyber threats.
As organizations navigate the complexities of cybersecurity defense, proactive measures and collaboration with industry partners remain crucial in safeguarding against emerging vulnerabilities and threat actors. Through ongoing vigilance and strategic actions, enterprises can fortify their security posture and mitigate risks associated with sophisticated cyber attacks.