A critical authentication bypass vulnerability (CVSS 9.6) affecting Fortinet’s FortiOS and FortiProxy products is currently under active exploitation. The vulnerability resides in the Node.js WebSocket module and allows remote attackers to bypass authentication mechanisms. Over 7.6 million instances of Fortinet firewalls are exposed to the Internet, making this threat particularly widespread.
| Product | Fortinet FortiProxy |
| Date | 2025-01-17 13:27:30 |
| Information |
|
Technical Summary
This vulnerability allows attackers to bypass authentication checks and gain super-administrator privileges by sending specially crafted web requests. Successful exploitation allows attackers to:
- Create super-admin accounts with full system privileges
- Modify system configurations including firewall policies and user groups
- Establish VPN tunnels to access internal networks
- Create local user accounts with random names (e.g., Gujhmk, Ed8x4k)
- Add/modify firewall policies and network settings
Affected devices and versions:
- FortiOS from 7.0.0 to 7.0.16
- FortiProxy from 7.0.0 to 7.0.19
- FortiProxy from 7.2.0 to 7.2.12
Exploitation involves:
- Sending a crafted request to the login endpoint
- Establishing a WebSocket connection with specific headers
- Bypassing authentication checks via the Node.js WebSocket module
Recommendations
- Update to the corrected versions:
- FortiOS 7.0.17 or later
- FortiProxy 7.2.13 or later
- Security enhancements:
- Enable Multi-Factor Authentication (MFA) for all administrative accounts
- Implement “local-in” policies to restrict access to the management interface
- Limit administrative access to trusted IP ranges
- Regularly monitor for suspicious account activity
- Detection:
- Monitor for the creation of admin accounts with random names (e.g., Gujhmk, Ed8x4k)
- Observe login attempts from known malicious IPs
- Check system logs for unauthorized configuration changes
[Callforaction-THREAT-Footer]
