Fortinet has disclosed a new critical zero-day vulnerability affecting some of its FortiGate firewalls.
In a security advisory published on January 14, FortiGuard Labs revealed a new authentication bypass vulnerability affecting FortiOS and FortiProxy that could be exploited to hack FortiGate devices.
The flaw, CVE-2024-55591, was allocated a CVSS score of 9.6, indicating critical severity. Fortinet also confirmed reports claiming the vulnerability is actively exploited in the wild.
This new disclosure comes five days after Arctic Wolf said it observed a massive exploitation campaign affecting FortiGate firewall devices with management interfaces exposed on the public internet since December 2024.
Arctic Wolf researchers saw threat actors altering firewall configurations and extracting credentials using DCSync.
“While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected,” the advisory said.
Authentication Bypass Affecting FortiOS and FortiProxy
CVE-2024-55591 allows an authentication bypass using an alternate path or channel weakness in FortiOS and FortiProxy. When exploited, it can allow a remote attacker to gain super-admin privileges via crafted requests to a Node.js web socket module.
It affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and versions 7.2.0 through 7.2.12.
No other FortiOS and FortiProxy versions are affected, the FortiGuard Labs advisory said.
Mitigation Recommendations
To prevent exploitation of CVE-2024-55591, FortiGuard Labs said users should upgrade FortiOS 7.0 to version 7.0.17 or above, FortiProxy 7.0 to version 7.0.20 or above and FortiProxy 7.2 to version 7.2.13 or above, when possible.
The security vendor also provided a workaround:
- Disable HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface via local-in policies:
config firewall address
edit "my_allowed_addresses"
set subnet
end
- Create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
- Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "all"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
- If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange 443
next
edit GUI_HTTP
set tcp-portrange 80
end
- Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2
Read now: Fortinet Confirms Exploitation of Critical FortiManager Zero-Day Vulnerability