Trending

ee-track">
Link copied!

Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Fortinet has disclosed a critical authentication bypass vulnerability affecting FortiOS and FortiProxy systems. Identified as CVE-2024-55591, bug grants “super-admin” privileges.

January 15, 2025 · 3 min read
Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Overview

Fortinet has disclosed a critical authentication bypass vulnerability affecting FortiOS and FortiProxy systems, identified as CVE-2024-55591. With a CVSS score of 9.6, this vulnerability allows unauthenticated attackers to execute unauthorized code or commands, granting them “super-admin” privileges.

The exploitation of this vulnerability has already been observed “in the wild,” stressing the urgency for affected organizations to act immediately.

Key Details

Vulnerability Summary

CVE-2024-55591 arises from a flaw in the Node.js websocket module, specifically within FortiOS and FortiProxy, where an alternate path or channel can bypass authentication mechanisms (CWE-288). This allows remote attackers to gain administrative access and compromise device configurations.

Affected Products

The vulnerability impacts specific versions of FortiOS and FortiProxy:

  • FortiOS 7.0: Versions 7.0.0 through 7.0.16
  • FortiProxy 7.0: Versions 7.0.0 through 7.0.19
  • FortiProxy 7.2: Versions 7.2.0 through 7.2.12

Unpatched systems are vulnerable to unauthorized access and subsequent exploitation.

Indicators of Compromise (IoCs)

Organizations are advised to monitor for the following IoCs to detect potential compromise:

Log Entries

  • Admin Login Events
  • Log Message: Successful login from the “jsconsole” interface with “super-admin” privileges.
  • Example: type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”1733486785″ user=”admin” ui=”jsconsole” method=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from jsconsole”
  • Admin Account Creation
  • Log Message: Creation of admin accounts with random usernames from suspicious IPs.
  • Example: type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add” cfgtid=1411317760 cfgpath=”system.admin” cfgobj=”vOcep” cfgattr=”password[*]accprofile[super_admin]vdom[root]” msg=”Add system.admin vOcep”

Common IP Addresses Usernames Used by Threat Actors

  • Frequent IPs:
    • 1.1.1.1
    • 2.2.2.2
    • 8.8.8.8
    • 45.55.158.47 [most used IP address]
    • 87.249.138.47
  • Admin/Usernames Created by Threat Actors:
    Randomly generated usernames have been observed, such as:
    • Gujhmk
    • Ed8x4k
    • G0xgey
    • Pvnw81
    • Alg7c4
    • Ypda8a
    • Kmi8p4
    • 1a2n6t
    • 8ah1t6
    • M4ix9f

Threat Actor Activity

Post-exploitation, attackers typically perform the following actions:

  1. Create admin accounts with elevated privileges.
  2. Add local users to existing SSL VPN user groups.
  3. Alter firewall policies to enable unauthorized network access.
  4. Use compromised SSL VPN accounts to establish tunnels into internal networks.

These actions allow lateral movement within the network, further compromising critical assets.

Mitigation Recommendations

Patch Management

Upgrade to Secure Versions:

  • FortiOS: Upgrade to 7.0.17 or higher.
  • FortiProxy: Upgrade to 7.0.20 or higher.
    Use Fortinet’s Upgrade Tool for guidance.

Access Control

  1. Disable HTTP/HTTPS Administrative Interfaces:
    Prevent unauthorized access by disabling external administrative interfaces.
  2. Restrict Access with Local-In Policies:
    Limit administrative access to trusted IP addresses using local-in policies.
    • Configure firewall address and groups for allowed IPs.
    • Apply local-in policies to restrict management interface access.

Monitoring and Detection

  1. Audit Logs:
    Continuously monitor system logs for anomalous login activities, suspicious IP addresses, and unauthorized account creations.
  2. Threat Intelligence Integration:
    Leverage threat intelligence feeds to stay updated on IoCs and adversarial tactics.

Incident Response

  1. Immediate Actions on Compromise:
    • Remove unauthorized accounts and reset passwords for all administrative and local users.
    • Revert unauthorized firewall and VPN configuration changes.
    • Isolate compromised devices from the network and conduct forensic analysis.
  2. Strengthen VPN Security:
    • Change SSL VPN ports to non-default values.
    • Implement multi-factor authentication (MFA) for all VPN users.

Workarounds

If patching is not immediately feasible, the following steps can temporarily mitigate risks:

  1. Restrict Administrative Access:
    Use local-in policies to limit management interface access to trusted IPs.
  2. Modify SSL VPN Ports:
    Configure custom ports for SSL VPN and HTTPS interfaces to avoid default port exploitation.
  3. Enable Trusthost Feature:
    Apply the trusthost feature to restrict access only to predefined IP ranges.

Conclusion

Organizations leveraging Fortinet solutions must act promptly to secure their infrastructure against CVE-2024-55591exploitation, leveraging patches, access restrictions, and continuous monitoring to detect and mitigate potential attacks. Proactively implementing these measures not only reduces the attack surface but also strengthens overall network security against advanced threat actors.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams