Critical Zero-Day Vulnerability in Fortinet Firewalls: CVE-2024-55591 Advisory and Mitigation Steps

Security Advisory

Published Date: January 15, 2025

Vulnerability Summary

A critical authentication bypass vulnerability (CWE-288) has been identified in Fortinet’s FortiOS and FortiProxy products. This flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Affected Products and Versions

• FortiOS: Versions 7.0.0 through 7.0.16

• FortiProxy 7.0: Versions 7.0.0 through 7.0.19

• FortiProxy 7.2: Versions 7.2.0 through 7.2.12

Patched Versions

To address this vulnerability, upgrade to the following versions:

• FortiOS 7.0: Version 7.0.17 or later

• FortiProxy 7.0: Version 7.0.20 or later

• FortiProxy 7.2: Version 7.2.13 or later

Critical Details

• Vulnerability Impact: Attackers exploiting this vulnerability can execute unauthorized code or commands with super-admin privileges.

• Severity: Critical

• CVSS Score: 9.6

• CVE ID: CVE-2024-55591

Key Observations

Unlike targeted attacks with specific objectives, such as ransomware deployment or credential dumping, this vulnerability provides attackers unrestricted access, enabling them to perform a wide range of actions within the compromised environment.

Mitigation Steps

1. Restrict Access to Management Interfaces

   • Disable public access to the firewall’s management interfaces.

   • Limit IP addresses that can access HTTP/HTTPS administration interfaces.

2. Monitor for Indicators of Compromise (IOCs)

   • Investigate any unusual activity on specific ports, such as:

     • TCP Port 8023 (web-based CLI)

     • TCP Port 9980 (used for REST API queries)

     • Other unexpected open ports (e.g., 4433, 59449, 59450)

   • Hunt for suspicious new or modified admin accounts, particularly from activity starting mid-November 2024.

3. Upgrade Firmware

   • Apply the latest patches immediately to affected devices.

4. Enable Syslog Monitoring

   • Ensure that all firewall devices send logs to a centralized syslog server for continuous monitoring and analysis.

5. Review Security Best Practices

   • Avoid exposing management interfaces to the public internet.

   • Regularly review and update your organization’s firmware upgrade policy to address vulnerabilities proactively.

Frequently Asked Questions (FAQ)

Why is this vulnerability critical?
This zero-day flaw provides attackers with unrestricted super-admin access to compromised systems. Observed exploitation methods include creating admin accounts and configuring SSL VPN tunnels, which could lead to extensive system compromise.

Are there specific observed attacks?
Although no definitive attack patterns have been observed, attackers could exploit this vulnerability to execute arbitrary actions within the environment.

References

• NVD – CVE-2024-55591

• FortiGuard Labs – Intrusion Prevention

• Fortinet System Administrator Best Practices

• Zero-Day Vulnerabilities in Fortinet Firewalls – Industry Insights