overview

CVE-2024-55591 is a critical authentication bypass vulnerability in Fortinet's FortiOS and FortiProxy products. This flaw allows remote attackers to gain super-admin privileges by sending malicious requests to the Node.js websocket module. Exploiting this vulnerability enables attackers to create unauthorized administrative accounts, modify firewall policies, and establish unauthorized VPN connections, potentially leading to full system compromise.  

Affected Versions: 

FortiOS: Versions 7.0.0 through 7.0.16 

FortiProxy: Versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 

Independent Threat Hunters have observed this vulnerability being targeted and exploited. After initial reconnaissance, attackers have leveraged access within the firewall management console to create “super admin” accounts that are used to set-up additional infrastructure and illicit user accounts within the victim environment to set conditions for further exploitation.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with successful exploitation of CVE-2024-55591. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

TTPs TO MONITOR

  1. Initial Access (TA0001)
  • Technique: Exploitation of Vulnerability (T1190) 
    The attacker might exploit a known vulnerability (e.g., CVE-2024-55591) to gain unauthorized access to the firewall management system. 
  1. Persistence (TA0003)
  • Technique: Create Account (T1136) 
    By creating "super admin" accounts, the attacker ensures continued access to the system even if the initial exploit is detected and mitigated. 
  1. Privilege Escalation (TA0004)
  • Technique: Abuse Elevation Control Mechanism (T1548) 
    If the attacker’s initial access is limited, they may escalate privileges to create "super admin" accounts, granting them higher-level permissions. 
  1. Defense Evasion (TA0005)
  • Techniques: 
    • Modify Authentication Process (T1556): Altering the authentication mechanisms or configurations to avoid detection. 
    • Masquerading (T1036): Using legitimate-looking usernames or account names to avoid raising suspicion. 
  1. Credential Access (TA0006)
  • Technique: Credential Dumping (T1003) 
    The attacker may attempt to dump credentials from the system to assist in creating or using administrative accounts. 
  1. Command and Control (TA0011)
  • Technique: Application Layer Protocol (T1071) 
    The attacker could use administrative privileges to configure communication channels, enabling unauthorized remote access. 

 

 

additional recommendations + information

  1. Ensure all systems are updated with the latest patches to prevent exploitation of vulnerabilities like CVE-2024-55591. 
  2. Review all admin accounts for legitimacy on a regular AND frequent basis 
  3. Limit admin privileges to essential personnel. 
  4. DO NOT expose your firewall management interface to the internet 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

Zero-Day Vulnerability Suspected in Attacks on Fortinet Firewalls with Exposed Interfaces 

Fortinet warns of auth bypass zero-day exploited to hijack firewalls 

Authentication bypass in Node.js websocket module 

CVE-2024-55591 

 

 
Chat With One of Our Experts



Flash Notice Fortinet Vulnerability Critical Vulnerability FortiOS FortiProxy authentication bypass vulnerability Blog