CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild

Fortinet has patched a critical zero-day authentication bypass vulnerability in FortiOS and FortiProxy, which has been actively exploited in the wild since November 2024. The vulnerability, tracked as CVE-2024-55591, allows an unauthenticated remote attacker to bypass authentication and gain super-admin privileges on a vulnerable device by sending a specially crafted request to a Node.js websocket module. Researchers at Arctic Wolf first observed the suspicious activity related to the exploitation of this vulnerability in mid-November 2024. The vulnerability has been exploited in a campaign that involves four distinct phases: scanning, reconnaissance, SSL VPN configuration, and lateral movement. Fortinet has released patches for FortiOS and FortiProxy, and also provided indicators of compromise and workaround steps in its security advisory. The company has also released several additional security advisories for vulnerabilities affecting FortiOS and FortiProxy. The vulnerability is the latest in a series of flaws that have been targeted by threat actors, including advanced persistent threat actors, since 2019. Fortinet has released patches for the affected versions of FortiOS and FortiProxy, and customers are advised to upgrade to the fixed versions to prevent exploitation. Tenable has also released plugins to help identify affected systems, and customers can utilize Tenable Attack Surface Management to identify public-facing Fortinet assets.