A critical zero-day vulnerability in Fortinet’s FortiOS and FortiProxy products tracked as CVE-2024-55591, has been actively exploited in the wild, allowing attackers to gain super-admin privileges.

The flaw, which carries a CVSS score of 9.6, has raised significant concerns among organizations relying on Fortinet’s security solutions.

The vulnerability stems from an “Authentication Bypass Using an Alternate Path or Channel” issue in the Node.js WebSocket module integrated into FortiOS’s management interface.

By sending specially crafted WebSocket requests, attackers can bypass authentication mechanisms and gain unauthorized super-admin access to affected systems.

This access enables them to perform a wide range of malicious activities, including creating new administrative accounts, modifying firewall policies, and establishing Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels to infiltrate internal networks.

As detailed by Arctic Wolf researchers, the vulnerability was first observed being actively exploited in mid-November 2024. Attackers targeted exposed management interfaces of FortiGate firewalls, leveraging the jsconsole feature—a GUI-based tool for executing CLI commands within the FortiOS management interface.

PoC Exploit Published

This vulnerability isn’t “just” a simple Authentication Bypass but a chain of issues combined into one critical vulnerability, reads watchTowr Labs PoC report.

Exploitation involved a combination of flaws:

• Establishing WebSocket connections via pre-authenticated HTTP requests.
• Using a local_access_token parameter to bypass session checks.
• Exploiting a race condition between WebSocket and Telnet CLI processes.
• Manipulating authentication flows to select privileged access profiles such as “super_admin”.

Indicators of compromise (IoCs) include logs showing unusual administrative account creation and suspicious login activity from IP addresses like 127.0.0.1 and 8.8.8.8. Attackers often created random usernames and added them to administrative or SSL VPN groups, enabling persistent access.

The vulnerability affects the following versions:

• FortiOS: Versions 7.0.0 through 7.0.16.
• FortiProxy: Versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.

Unaffected versions include FortiOS 7.0.17 or higher and FortiProxy 7.0.20 or higher.

Fortinet released patches on January 14, 2025, addressing the vulnerability:

• FortiOS: Upgrade to version 7.0.17 or later.
• FortiProxy: Upgrade to version 7.0.20 or later for the 7.0 branch and version 7.2.13 for the 7.2 branch.

Organizations unable to patch immediately are advised to:

• Disable public access to HTTP/HTTPS management interfaces.
• Restrict administrative interface access using local policies that limit IP ranges.
• Monitor logs for IoCs and suspicious activity.

The exploitation of CVE-2024-55591 underscores the growing threat landscape targeting network security devices like firewalls and VPNs—essential components of enterprise IT environments often exposed to the internet by necessity.

The flaw’s active exploitation has prompted warnings from cybersecurity agencies worldwide, including its inclusion in CISA’s Known Exploited Vulnerabilities Catalog.

This critical vulnerability highlights the importance of timely patching and proactive monitoring for organizations using Fortinet products. With nearly 50,000 vulnerable instances reported globally, swift action is essential to mitigate risks associated with this exploit.

Organizations are urged to apply patches immediately and follow best practices for securing administrative interfaces to prevent exploitation.