A critical zero-day vulnerability in Fortinet’s FortiOS and FortiProxy products is being actively exploited by hackers to gain super-admin privileges on affected devices.
The authentication bypass flaw, tracked as CVE-2024-55591, allows remote attackers to execute unauthorized code or commands via crafted requests to the Node.js websocket module.
Fortinet confirmed the exploitation of this vulnerability in the wild, urging users to take immediate action. The affected versions include FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19.
Security researchers at Arctic Wolf first observed suspicious activity related to this vulnerability in mid-November 2024.
The attack campaign progressed through four phases: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement.
The threat actors have been seen using various IP addresses, with 45.55.158.47 being the most frequently used.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Other observed IPs
Other observed IPs include:-
- 87.249.138.47
- 155.133.4.175
- 37.19.196.65
- 149.22.94.37
Indicators of compromise include unauthorized administrative logins, creation of new accounts with random usernames, and various configuration changes.
The attackers have been observed creating both admin and local user accounts, adding users to SSL VPN groups, and modifying firewall policies.
Fortinet recommends users upgrade to the latest patched versions:-
- FortiOS 7.0.17 or above
- FortiProxy 7.2.13 or above
- FortiProxy 7.0.20 or above
For those unable to update immediately, Fortinet has provided workaround steps, including disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can access the administrative interface via local-in policies.
Organizations using affected Fortinet products are strongly advised to check for signs of compromise and take necessary mitigation steps to protect their networks from potential breaches.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!