Exploitation of Zero-Day Vulnerability in Fortinet Systems

A New Zero-Day Threat: What You Need to Know

A sophisticated cyberattack campaign is targeting a recently discovered authentication bypass vulnerability (CVE-2024-55591) in Fortinet’s FortiOS and FortiProxy systems. This critical flaw allows attackers to hijack firewall management interfaces, gain super-admin privileges, and compromise enterprise networks.

If your organization relies on Fortinet solutions, immediate action is required to mitigate this risk.

The Vulnerability at a Glance

· CVE-2024-55591:Exploitation enables attackers to bypass authentication and gain super-admin privileges.

· Affected Versions:

- FortiOS: Versions 7.0.0 to 7.0.16 (patch to 7.0.17 or later).

- FortiProxy: Versions 7.0.0 to 7.0.19 (patch to 7.0.20 or later) and 7.2.0 to 7.2.12 (patch to 7.2.13 or later).

· Exploitation Method: Attackers use specially crafted requests targeting the Node.js WebSocket module.

How the Attack Progresses

The campaign follows a structured timeline of activities:

1. Phase 1 (Nov 16–23, 2024): Scanning for vulnerable systems.

2. Phase 2 (Nov 22–27, 2024): Conducting reconnaissance.

3. Phase 3 (Dec 4–7, 2024): Configuring SSL VPN access.

4. Phase 4 (Dec 16–27, 2024): Lateral movement within the compromised network.

Observed Tactics Include:

· Unauthorized logins using administrative interfaces.

· Creation of rogue admin and user accounts.

· Modification of existing accounts for SSL VPN access.

· Establishing VPN tunnels from VPS-hosted IPs.

· Credential theft via DCSync for deeper access.

Mitigation Steps: Protect Your Organization Now

1. Restrict Access

· Disable public exposure of Fortinet management interfaces.

· Use local-in policies to limit administrative access to trusted IPs.

2. Apply Security Updates

· Upgrade to FortiOS 7.0.17 or above.

· Upgrade to FortiProxy 7.0.20 or above.

3. Monitor for Signs of Compromise

· Review logs for unauthorized logins or account changes.

· Investigate unusual activity from unfamiliar IP addresses.

4. Enhance Security Posture

· Enable multi-factor authentication (MFA) for all administrative accounts.

· Regularly audit and harden firewall policies.

Related Threats to Watch

This vulnerability is part of a broader trend of attacks on Fortinet systems,including:

· CVE-2023-37936:Exploited cryptographic key vulnerability enabling unauthorized code execution.

· CVE-2024-47575(“FortiJump”): A zero-day targeting FortiManager appliances.

Stay Vigilant

With attackers becoming increasingly sophisticated, timely updates and proactive monitoring are your best defense. Ensure your systems are patched and protected to reduce your risk of compromise.