A critical zero-day vulnerability, CVE-2024-55591, has been discovered in FortiOS and FortiProxy, allowing attackers to bypass authentication and gain super admin access to Fortinet firewalls. This flaw, found in the Node.js WebSocket module, enables remote code execution, rogue admin account creation, and the modification of firewall policies—posing a significant risk to enterprises relying on FortiGate security appliances.
How Did This Happen?
Attackers exploited a flaw in Fortinet’s authentication mechanism, specifically in the WebSocket implementation, to bypass login credentials and gain privileged access. By sending a specially crafted WebSocket request, they could take full control of the system remotely. Exploitation of this vulnerability has been active since mid-November 2024, leading to a wave of unauthorized access incidents.
What Happens When This Vulnerability is Exploited?
Once compromised, threat actors can:
Create rogue admin accounts to maintain persistent access.
Modify firewall policies to allow unrestricted traffic.
Establish SSL VPN tunnels for deeper network infiltration.
Exfiltrate sensitive data from protected environments.
Deploy ransomware or malware by manipulating security settings.
As of January 2025, nearly 50,000 Fortinet devices remain unpatched, making them highly susceptible to cyberattacks.
Best Practices to Mitigate the Threat
1. Patch & Update Firmware
FortiOS Users: Upgrade to 7.0.17+ (for 7.0 branch) or 7.2.13+ (for 7.2 branch).
FortiProxy Users: Upgrade to 7.0.20+ (for 7.0 branch) or 7.2.13+ (for 7.2 branch).
2. Restrict Access to Admin Interfaces
Disable public access to HTTP/HTTPS management interfaces.
Restrict access using local-in policies, allowing only trusted IPs.
3. Monitor for Indicators of Compromise (IoCs)
Look for unexpected configuration changes.
Check for unauthorized logins from suspicious IP addresses (127.0.0.1, 8.8.8.8).
Analyze firewall rule modifications for unusual changes.
4. Disconnect Compromised Devices
If an organization detects compromise, it should disconnect affected FortiGate firewalls immediately to prevent lateral movement.
How Zeron’s CRPM Strengthens Cyber Defense
Zeron’s Cyber Risk Posture Management (CRPM) platform provides a proactive defense against such vulnerabilities using its Defense Module. With real-time insights, CRPM can:
-
Assess exposure to FortiGate vulnerabilities across IT assets.
-
Alert security teams when a high-risk exploit is detected.
-
Provide actionable insights on risk mitigation and patch prioritization.
-
Help organizations decide when to disconnect FortiGate systems to prevent further compromise.
With Zeron’s CRPM, enterprises can gain full visibility into their risk posture, ensuring maximum protection against evolving cyber threats. To know more, contact our experts today.
