Critical Fortinet Zero-Day Vulnerability Exploited in the Wild: CVE-2024-55591
In a troubling development, Fortinet has disclosed a critical zero-day vulnerability affecting its FortiOS and FortiProxy products. Tracked as CVE-2024-55591 with a CVSS score of 9.3, this vulnerability allows remote attackers to gain super-admin privileges on affected devices, including firewalls and SSL VPNs.
The flaw has already been exploited in the wild, highlighting the urgency for organizations to act swiftly to mitigate risks.
Details of CVE-2024-55591
This authentication bypass vulnerability enables threat actors to compromise Fortinet devices by:
Creating unauthorized administrative accounts.
Modifying firewall policies and settings.
Adding themselves as local users to access SSL VPNs.
Fortinet has confirmed exploitation reports but has not attributed the activity to a specific threat actor. Indicators of compromise (IoCs) include the creation of unauthorized user groups and administrative accounts, as well as changes to critical device configurations.
Exploitation Timeline
The vulnerability appears to be connected to a November 2024 attack campaign observed by Arctic Wolf, targeting publicly exposed management interfaces on FortiGate firewalls.
Stages of the Campaign:
Scanning and Reconnaissance: Mid-November to late November 2024.
SSL VPN Configuration: Early December 2024.
Lateral Movement: Mid to late December 2024.
Arctic Wolf’s findings suggest the exploitation involved opportunistic attacks against a limited number of organizations.
Mitigation Measures
Fortinet urges organizations to take immediate steps to protect their networks:
Apply Patches
Use Fortinet’s upgrade tool to ensure devices are updated to secure firmware versions.
Limit Management Interface Exposure
Restrict access to management interfaces to trusted IPs or internal networks.
Monitor for IoCs
Watch for unusual administrative account creation, firewall policy changes, or unauthorized SSL VPN activity.
Implement Network Segmentation
Limit the potential impact of lateral movement by segmenting sensitive areas of the network.
Follow Fortinet’s Advisory
Adhere to Fortinet’s published workarounds and guidelines for CVE-2024-55591.
Broader Threat Landscape
Fortinet devices have been a frequent target for attackers, including state-sponsored threat actors and ransomware affiliates. While attribution for CVE-2024-55591 exploitation remains unclear, researchers warn that the activity could potentially align with ransomware operations.
Past campaigns have shown similarities in techniques, including the use of compromised VPN accounts and targeted exploitation of zero-day vulnerabilities.
Call to Action
The CVE-2024-55591 vulnerability is a critical reminder of the importance of robust security practices. Organizations should:
Prioritize patch management.
Regularly audit their network for exposed management interfaces.
Stay informed of emerging threats and indicators of compromise.
Fortinet users are encouraged to act quickly to safeguard their infrastructure and prevent potential breaches.
Stay vigilant. Stay secure.
