CVE-2024-55591 – Authentication Bypass in Fortinet FortiOS and FortiProxy

ISGroup Cybersecurity

A critical authentication bypass vulnerability (CVSS 9.6) affecting Fortinet’s FortiOS and FortiProxy products is currently under active exploitation. The vulnerability resides in the Node.js WebSocket module and allows remote attackers to bypass authentication mechanisms. Over 7.6 million instances of Fortinet firewalls are exposed to the Internet, making this threat particularly widespread.

ProductFortinet FortiProxy
Date2025-01-17 13:27:30
Information
  • Fix Available
  • Active Exploitation

Technical Summary

This vulnerability allows attackers to bypass authentication checks and gain super-administrator privileges by sending specially crafted web requests. Successful exploitation allows attackers to:

  • Create super-admin accounts with full system privileges
  • Modify system configurations including firewall policies and user groups
  • Establish VPN tunnels to access internal networks
  • Create local user accounts with random names (e.g., Gujhmk, Ed8x4k)
  • Add/modify firewall policies and network settings

Affected devices and versions:

  • FortiOS from 7.0.0 to 7.0.16
  • FortiProxy from 7.0.0 to 7.0.19
  • FortiProxy from 7.2.0 to 7.2.12

Exploitation involves:

  1. Sending a crafted request to the login endpoint
  2. Establishing a WebSocket connection with specific headers
  3. Bypassing authentication checks via the Node.js WebSocket module

Recommendations

  1. Update to the corrected versions:
  • FortiOS 7.0.17 or later
  • FortiProxy 7.2.13 or later
  1. Security enhancements:
  • Enable Multi-Factor Authentication (MFA) for all administrative accounts
  • Implement “local-in” policies to restrict access to the management interface
  • Limit administrative access to trusted IP ranges
  • Regularly monitor for suspicious account activity
  1. Detection:
  • Monitor for the creation of admin accounts with random names (e.g., Gujhmk, Ed8x4k)
  • Observe login attempts from known malicious IPs
  • Check system logs for unauthorized configuration changes

[Callforaction-THREAT-Footer]