Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

January 17 Advisory: Zero-Day Vulnerability in FortiOS and FortiProxy Added to CISA KEV [CVE-2024-55591]

Date of Disclosure (source): January 14, 2025
Date Reported as Actively Exploited (source): January 14, 2025 

CVE-2024-55591 is an authentication bypass vulnerability affecting FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 with a CVSS score of 9.8. 

This flaw enables unauthenticated attackers to exploit the Node.js websocket module through specially crafted requests, potentially granting them super-admin privileges over affected systems. 

This vulnerability is known to be actively exploited, with multiple reports of attackers targeting Fortinet devices that have their management interfaces exposed to the public internet. Arctic Wolf identified exploitation activity prior to disclosure of this vulnerability including observation of unauthorized administrative logins, account creation, and configuration changes dating back to mid November 2024. This activity was later determined to be tied to this vulnerability. 

Additionally, this vulnerability was added to CISA’s list of Known Exploited Vulnerabilities on January 14, 2025, highlighting the urgency for organizations to address this threat. 

It’s recommended to avoid publicly exposing network device admin interfaces when possible, or hardening them if they must be publicly accessible.

 

Field Details
CVE-ID CVE-2024-55591 – CVSS 9.8 (critical) – assigned by Fortinet Inc.
Vulnerability Description An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Date of Disclosure January 14, 2025
Affected Assets Node.js websocket module in Fortinet FortiOS and FortiProxy
Vulnerable Software Versions 
  • Fortinet FortiOS 7.0.0 through 7.0.16
  • Fortinet FortiProxy 7.2.0 through 7.2.12
  • Fortinet FortiProxy 7.0.0 through 7.0.19
PoC Available? While not an official exploit, WatchTowr Labs published a python script on github that detects whether or host is vulnerable to the exploit (detection mechanism does not support FortiProxy)
Exploitation Status This vulnerability was added to CISA KEV on January 14, 2025
Patch Status The following patches are available with instructions for installation in Fortinet’s security advisory

  • Fortinet FortiOS 7.0.0 through 7.0.16 (fixed in 7.0.17 or above)
  • Fortinet FortiProxy 7.2.0 through 7.2.12 (fixed in 7.2.13 or above)
  • Fortinet FortiProxy 7.0.0 through 7.0.19 (fixed in 7.0.20 or above)

Censys Perspective

At the time of writing, Censys observed 51 exposed FortiProxy instances and 3,445,758 exposed devices running FortiOS. Some of these instances overlap, but we see a total of 3,445,797 devices.

16% of these are geolocated in the United States. Note that not all instances observed are necessarily vulnerable as we do not always have specific versions available.

Map of Exposed FortiOS and FortiProxy Instances:

Censys Search Query:

services.software: (vendor="Fortinet" and (product="FortiOS" or product="FortiProxy")) and not labels: {honeypot, tarpit}

Censys ASM Query:

host.services.software: (vendor="Fortinet" and (product="FortiOS" or product="FortiProxy")) or web_entity.instances.software: (vendor="Fortinet" and (product="FortiOS" or product="FortiProxy")) and not labels: {honeypot, tarpit}

References

Attack Surface Management Solutions
Learn more