Visit 🇮🇪
Request Demo

NEWS

Security Bulletin: CVE-2024-55591 Fortinet – Authentication Bypass

By Bruce Skillern – Intelligence Operations Analyst, Centripetal

Overview

On January 14, 2025 Fortinet confirmed a critical zero-day vulnerability, CVE-2024-55591, in Fortinet’s FortiOS and FortiProxy systems that has been actively exploited in the wild. This authentication bypass vulnerability allows attackers to gain super-admin privileges via crafted requests to the Node.js WebSocket module, enabling unauthorized access to firewalls, rogue administrative account creation, and configuration changes. Affected products include FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12. This vulnerability poses a significant threat to organizations relying on
Fortinet devices for critical network security (Fortinet, 2025; Help Net Security, 2025).

 

Technical Details

Vulnerability Type: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
CVSS Score: 9.6 (Critical)

Affected Versions:

  • FortiOS: 7.0.0 to 7.0.16 (Upgrade to 7.0.17 or above)
  • FortiProxy:
    • 7.2.0 to 7.2.12 (Upgrade to 7.2.13 or above)
    • 7.0.0 to 7.0.19 (Upgrade to 7.0.20 or above) (Fortinet, 2025).
 
 

Exploitation Process

  • Initial Exploit: Attackers exploit the vulnerability using crafted WebSocket request to bypass authentication (Help Net Security, 2025).
  • Privilege Escalation: New administrative accounts are created with super-admin privileges (BleepingComputer)
  • Configuration Manipulation: Firewall policies are altered, rogue SSL VPN portals are added, and unauthorized tunnels are established (thehackernews,2025)
  • Lateral Movement: Extracted credentials enable further access and compromise within the network (Help Net Security, 2025).

 

Attack Campaign

The exploitation began in mid-November 2024 and followed four distinct phases:

  • Vulnerability Scanning: Automated scans to identify vulnerable systems (November 16–23, 2024).
  • Reconnaissance: Configuration changes and initial access validation (November 22–27, 2024).
  • SSL VPN Configuration: Creation of rogue accounts, VPN portals, and tunnels (December 4–7, 2024).
  • Lateral Movement: Credential extraction and deeper network penetration (December 16–27, 2024) (BleepingComputer, 2025; Help Net Security, 2025).

 

Indicators of Compromise (IoCs)

Suspicious Logs:

  • Successful administrative logins via the jsconsole interface from unfamiliar IPs.
  • Creation of new administrative accounts with random usernames (BleepingComputer, 2025).
 

Threat Actor Actions:

  • Creation of rogue admin and local accounts.
  • Changes to firewall policies and addition of SSL VPN portals.
  • Establishment of unauthorized VPN tunnels for network infiltration (cybersecuritynews, 2025; thehackernews, 2025).
 

Malicious IP Addresses:

1.1.1[.]1 
   		87.249.138[.]47
127.0.0[.]1137.184.65[.]71
2.2.2[.]2149.22.94[.]37
8.8.8[.]8155.133.4[.]175
8.8.4[.]4157.245.3[.]251
23.27.140[.]65167.71.245[.]10
45.55.158[.]4731.192.107[.]165
64.190.113[.]2537.19.196[.]65

(cybersecuritynews, 2025; BleepingComputer, 2025; Fortinet, 2025).

 

Mitigation Steps

  • Apply Patches: Upgrade to FortiOS version 7.0.17 or higher. Upgrade to FortiProxy version 7.0.20 or 7.2.13 or higher (Fortinet, 2025).
  • Restrict Public Exposure: Disable HTTP/HTTPS administrative interfaces or restrict access using local-in policies (Fortinet, 2025).
  • Monitor Logs for IoCs: Regularly analyze logs for unusual admin activity or account creation.
  • Block Malicious IPs: Implement firewall rules to block known malicious IPs.
  • Harden Network Defenses: Enforce network segmentation and monitor VPN activity.
  • Engage Incident Response: Review and remediate unauthorized configuration changes.

 

Vendor Response

Fortinet has released patches addressing CVE-2024-55591 and advised customers to upgrade immediately. The company has also provided guidance, including disabling vulnerable interfaces and monitoring for suspicious activity (Fortinet, 2025).

 

Conclusion

The discovery and exploitation of CVE-2024-55591 highlights the critical need for proactive patch management and limiting public exposure of management interfaces. Organizations should prioritize implementing the latest updates, restricting
access to trusted IPs, and monitoring for signs of compromise. Swift action can mitigate the risk of further exploitation and safeguard against potential breaches. Centripetal’s CleanINTERNET® service provides an invaluable layer of defense against authentication bypass vulnerabilities like CVE-2024-55591. By leveraging a dataset of billions of threat indicators, CleanINTERNET® proactively blocks malicious traffic targeting vulnerabilities, including attempts to exploit management interfaces and bypass authentication protocols. With dynamic adaptation to real-time threats and detailed insights into attack
patterns and geographic origins, CleanINTERNET® empowers organizations to adopt an intelligence-centric, data-driven, and proactive defense strategy, ensuring robust protection against evolving cyber threats.

If you use Fortinet’s FortiOS or FortiProxy please contact support@centripetal.ai.
Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk.

If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

 

References

Tweet Article
Share Article
  • Tags

SIGN UP TO OUR NEWSLETTER

Experience how CleanINTERNET® can proactively protect your organization.

GET A DEMO