Listen to this Post
2025-02-11
A severe vulnerability in Fortinet’s FortiOS and FortiProxy products has been discovered, allowing attackers to bypass authentication and gain super-admin privileges. This flaw, identified as an “Authentication Bypass Using an Alternate Path or Channel” (CWE-288), is designated CVE-2024-55591 and CVE-2025-24472, with a CVSSv3 score of 9.6, indicating a critical level of severity. The vulnerability enables unauthorized access to systems, permitting attackers to execute arbitrary commands and modify system configurations, putting organizations at significant risk. Exploits have already been observed in the wild, making this an urgent issue for affected users.
the Issue
The vulnerability impacts specific versions of FortiOS and FortiProxy:
- FortiOS versions 7.0.0 to 7.0.16 are affected, with patches available from version 7.0.17 onward.
- FortiProxy versions 7.2.0 to 7.2.12 and 7.0.0 to 7.0.19 are also vulnerable, with secure versions being 7.2.13 and 7.0.20, respectively.
- Versions like FortiOS 7.6, 6.4, and FortiProxy 7.6, 2.0 are not impacted.
Exploiting this flaw allows attackers to create super-admin accounts by bypassing authentication mechanisms, typically via crafted requests that target the Node.js WebSocket module or CSF proxy requests. Attackers have been observed creating random usernames, modifying firewall policies, and setting up SSL VPN tunnels to access internal networks. Compromise indicators include successful logins via “jsconsole” with random scripts, and admin account creation with seemingly arbitrary names.
Mitigation Steps
Fortinet recommends upgrading to the latest secure versions immediately. As a temporary measure, disabling HTTP/HTTPS administrative interfaces or restricting access to trusted IPs through local-in policies can reduce the attack surface. Disabling the Security Fabric feature and ensuring all admin usernames are complex and non-standard can further mitigate risks. However, patching with the recommended firmware update remains the most effective solution.
What Undercode Says:
This vulnerability highlights a major concern for organizations relying on Fortinet’s solutions. The discovery of a high-severity flaw in FortiOS and FortiProxy emphasizes the ongoing battle between security researchers and cybercriminals targeting critical infrastructure. By bypassing authentication mechanisms, attackers gain super-admin privileges, a dangerous capability that can lead to unauthorized system modifications, data leaks, or further exploits within internal networks.
Exploitation Tactics
What sets this exploit apart is the method used to gain super-admin access: attackers exploit crafted requests targeting the Node.js WebSocket module or CSF proxy requests. These techniques bypass standard authentication checks, which suggests the vulnerability lies not only in authentication handling but also in how the system handles these requests.
Moreover, the observed attack patterns raise alarms. The random creation of user accounts with nonsensical names and the modification of firewall policies suggest a deeper agenda. Often, attackers modify settings to facilitate further access, such as opening SSL VPN tunnels for later exploitation or using these compromised devices as footholds within a larger network.
Given the active exploitation in the wild,
Analysis of Mitigation Strategies
Fortinet’s recommended response—upgrading to secure versions—is the most robust defense. Immediate patching is crucial to closing the vulnerability, but in high-risk environments, administrators should also implement the temporary workarounds. Restricting administrative interfaces and limiting access through local-in policies can slow down or prevent attacks, but they are not foolproof solutions.
The recommendation to disable the Security Fabric feature is particularly noteworthy. While it’s not a permanent fix, this action can prevent some attack vectors by reducing the exposed services available to potential attackers. However, relying on such measures without patching the core vulnerability would only offer partial protection.
Administrators should also take proactive steps in securing admin accounts. The guidance to use non-standard usernames is an essential but often overlooked practice that could make a significant difference in thwarting brute-force or enumeration attempts by attackers. This practice, combined with a strict password policy and multi-factor authentication, can greatly reduce the risk.
Fortinet’s proactive communication with the cybersecurity community and their collaboration with researchers like Sonny from watchTowr is commendable. This responsible disclosure and ongoing sharing of mitigation strategies have been vital in ensuring that users have the information they need to secure their systems effectively.
Broader Implications
This vulnerability underscores the importance of regular updates and patch management in enterprise environments. As systems become more interconnected and complex, attackers continuously find ways to exploit vulnerabilities. Firewalls and proxies are especially critical components in protecting network perimeters, and any compromise can have widespread consequences.
Organizations that neglect to update their systems in a timely manner put themselves at greater risk of being compromised. The fact that this vulnerability is actively being exploited only highlights the urgency of a swift response. Moreover, businesses should prepare for the possibility of such attacks by having a robust incident response plan in place, including monitoring for suspicious activity and potential indicators of compromise.
In conclusion, while Fortinet’s response is commendable, this incident serves as a reminder of the ever-evolving threat landscape. Security must be a continuous process, not a one-time action. Regular monitoring, updates, and security best practices are crucial in defending against sophisticated attacks targeting essential infrastructure.
References:
Reported By: https://cyberpress.org/fortios-fortiproxy-vulnerability-allows-attackers-firewall/
https://www.medium.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
