CVE-2024-55591

Published Jan 14, 2025

Last updated a month ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-55591 is an authentication bypass vulnerability affecting Fortinet's FortiOS and FortiProxy products. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted requests to the Node.js websocket module. Successful exploitation grants the attacker super-admin privileges on the targeted device. The vulnerability affects FortiOS versions 7.0.0 through 7.0.16, FortiProxy versions 7.0.0 through 7.0.19, and FortiProxy versions 7.2.0 through 7.2.12. Fortinet confirmed active exploitation of this vulnerability as early as November 2024, with reports of attackers creating new user accounts, modifying firewall settings, and establishing SSL VPN tunnels for internal network access. This vulnerability has been assigned a CVSSv3 score of 9.6, indicating its critical nature.

Description: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Source: psirt@fortinet.com
NVD status: Analyzed

Insights

Analysis from the Intruder Security Team

Published Jan 14, 2025 Updated Jan 29, 2025

This vulnerability affects the terminal console functionality within the Fortigate admin panel. It exploits a weakness in the WebSockets implementation and allows an unauthenticated attacker to create administrative accounts on the Fortinet device. watchTowr have released a technical post breaking the vulnerability down.

ArcticWolf have observed a handful of exploitations of this vulnerability in early December, where an unauthenticated threat actor has created administrative accounts and changed device configurations. They have listed a number of IoC's which can help with identifying any malicious activity on devices. Fortinet have also released similar IoC's for this vulnerability.

Fortinet have released patching information and their own IoC's here.

Intruder Premium customers will be checked for this weakness today (Jan 16th) and notified if they are vulnerable.

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Exploit added on: Jan 14, 2025
Exploit action due: Jan 21, 2025
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com: CWE-288
nvd@nist.gov: NVD-CWE-Other

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1B14CD59-F557-48A0-8458-BECD3AD7DB3A",
            "versionEndExcluding": "7.0.20",
            "versionStartIncluding": "7.0.0"
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EDC18768-0891-465E-9900-3DF5D22A5CB3",
            "versionEndExcluding": "7.2.13",
            "versionStartIncluding": "7.2.0"
          },
          {
            "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BD357034-B2FD-4C2E-97FE-2C54D686D885",
            "versionEndExcluding": "7.0.17",
            "versionStartIncluding": "7.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]