Fortinet reports and fixes actively exploited FortiOS flaw
Take action: If you are running Fortinet firewalls or proxies, your FIRST action is to isolate web based management interface from the internet. Then check the versions, and if you are running an affected version start patching IMMEDIATELY. Also, make a full review of all access logs and the rest of your network, because there is a high chance you have already been hacked.
Learn More
Fortinet is reporting and has patched a critical authentication bypass that's actively exploited by hackers for at least a month, affecting FortiOS firewalls and FortiProxy web gateways.
The vulnerability is tracked as CVE-2024-55591 (CVSS score 9.6) and allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module, enabling unauthorized code or command execution without user interaction.
Update - as of 11th of February, Fortinet has clarified that even though there are claims that a second vulnerability CVE-2025-24472 is also exploited, they have now confirmed that only one vulnerability (CVE-2024-55591) was actually used in attacks. The other vulnerability (CVE-2025-24472) had already been patched in January 2025, contrary to initial reports of it being a zero-day exploit.
- FortiOS versions 7.0.0 through 7.0.16
- FortiProxy versions 7.0.0 through 7.0.19,
- FortiProxy versions 7.2.0 through 7.2.12.
The exploitation campaign was initially detected in mid-November 2024 and continued through December 2024. Arctic Wolf researchers identified the campaign through external monitoring of unexpected firewall configuration changes. The attack campaign progressed through four distinct phases:
- First phase, beginning with vulnerability scanning from November 16-23, 2024, which involved automated exploitation attempts and multiple successful admin login events using jsconsole, along with the use of spoofed IP addresses including loopback and public DNS resolvers.
- The second phase, occurring between November 22-27, 2024, focused on reconnaissance with initial unauthorized configuration changes and modification of console output settings.
- This was followed by the third phase from December 4-7, 2024, where attackers escalated their activities to include creating new super admin accounts, local user accounts, hijacking existing accounts (including the default guest account), adding compromised accounts to VPN access groups, creating new SSL VPN portals, and establishing SSL VPN tunnels.
- The final phase, spanning December 16-27, 2024, involved lateral movement attempts including credential extraction and the use of DCSync for domain credential theft. However, the attackers were removed from affected environments before they could complete their objectives.
Update - As of 21st of January 2025, Shadowserver Foundation monitoring reports that over 48,000 vulnerable devices are still accessible from the Internet and open to attack.
Organizations are advised to upgrade to patched versions: FortiOS 7.0.17 or above, FortiProxy 7.2.13 or above, or FortiProxy 7.0.20 or above. If immediate updating isn't possible, alternative mitigations include disabling HTTP/HTTPS administrative interface, removing web-based management interface from public internet access, and implementing strict IP-based access controls for administrative interfaces.
