Fortinet has recently confirmed the active exploitation of a critical zero-day vulnerability affecting its FortiGate firewall devices. This vulnerability allows unauthorized attackers to gain administrative access, modify configurations, and extract sensitive credentials.

Vulnerability Details

The flaw, identified as CVE-2024-55591, is an authentication bypass issue in FortiOS and FortiProxy. It enables remote attackers to obtain super-admin privileges by sending crafted requests to the Node.js websocket module. The affected versions include FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12.

Exploitation in the Wild

Cybersecurity firm Arctic Wolf reported that, since mid-November 2024, threat actors have targeted FortiGate firewalls with exposed management interfaces. The attack sequence involved unauthorized administrative logins, creation of new accounts, SSL VPN authentications, and various configuration changes. The campaign appeared opportunistic, affecting a diverse range of organizations without specific targeting.

Fortinet's Response

Fortinet has released an advisory acknowledging the vulnerability and its exploitation. The company recommends users immediately update to the latest firmware versions to mitigate the risk. Additionally, administrators are advised to disable public access to management interfaces and restrict access to trusted IP addresses.

Recommendations for Users

1. Update Firmware: Upgrade to FortiOS version 7.0.17 or above, and FortiProxy versions 7.0.20 or above, and 7.2.13 or above.

2. Restrict Management Access: Disable HTTP/HTTPS administrative interfaces on public networks or limit access to trusted IP addresses.

3. Monitor for Anomalies: Regularly review logs for unusual login activities, especially those originating from unfamiliar IP addresses.

4. Implement Strong Access Controls: Ensure that only authorized personnel have administrative access to firewall configurations.

Conclusion

The exploitation of this zero-day vulnerability underscores the importance of maintaining up-to-date systems and implementing robust security measures. Organizations using FortiGate firewalls should act promptly to apply the recommended updates and safeguards to protect their networks from potential breaches.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.