Fortinet has issued a warning about a critical zero-day in firewalls. Hackers are actively exploiting this authentication bypass vulnerability to take over firewalls and penetrate corporate networks.
The vulnerability (CVE-2024-55591) affects the operating system FortiOS 7.0.0 through 7.0.16 and multiple versions of the secure web gateway FortiProxy. Successful attacks allow cybercriminals to obtain super-admin privileges by sending malicious requests to the Node.js web socket module.
Method of attack and impact
Fortinet states that attackers create randomly generated administrators or local users on compromised devices. These users are then added to existing SSL VPN user groups or newly created groups, and firewall policies and other settings are changed.
Security researchers at Arctic Wolf state that Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since mid-November. The attack campaign includes unauthorized admin logins, creating new accounts and SSL VPN authentication through these accounts.
Recommended actions
Fortinet recommends that admins disable the HTTP/HTTPS management interface or limit the IP addresses that can access it through local-in policies. Arctic Wolf stresses the importance of immediately disabling firewall management access on public interfaces.
Arctic Wolf has established a timeline for the CVE-2024-55591 mass exploitation campaign, which will consist of four phases between Nov. 16 and Dec. 27, 2024. Organizations can check their logs for specific entries to determine if their devices have been attacked.
In addition to this zero-day, Fortinet has also released patches for a critical hard-coded cryptographic key vulnerability (CVE-2023-37936). This vulnerability allows remote, unauthenticated attackers to execute unauthorized code via manipulated cryptographic requests.