Security bulletin with exclamation point symbol in the middle of the screen
Security bulletin with exclamation point symbol in the middle of the screen
Back to blog

CVE-2024-55591: Follow up: Authentication Bypass Vulnerability in Fortinet FortiOS and FortiProxy

On January 14, 2025, Fortinet published a security advisory for CVE-2024-55591, an authentication bypass using an alternate path or channel vulnerability in FortiOS and FortiProxy. Find Arctic Wolf’s recommendations.
Security bulletin with exclamation point symbol in the middle of the screen
6 min read

On January 14, 2025, Fortinet published a security advisory for CVE-2024-55591, an authentication bypass using an alternate path or channel vulnerability in FortiOS and FortiProxy. A remote threat actor can craft requests to the Node.js websocket module to gain super-admin privileges. 

Several weeks prior to disclosure of the vulnerability, Arctic Wolf began tracking a campaign which was later confirmed to be tied to this vulnerability. The campaign involved unexpected administrative logins from jsconsole, which is typically tied to CLI commands initiated through the Fortigate management web interface. Threat actors were then observed creating new administrative accounts, granting VPN access to the newly-created users, and making other configuration changes. All affected customers were found to be exposing the Fortigate management web interface to the public internet. 

To protect customers from malicious activity, Arctic Wolf released a bulletin on December 17, 2024 recommending that organizations disable management interfaces from being exposed publicly. For additional details on this campaign, see our recent blog publication. 

In addition to hardening the management interface, Arctic Wolf strongly recommends updating to the fixed versions of Fortigate firmware as outlined below. 

Recommendations for CVE-2024-55591

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Product  Affected Version  Fixed Version 
FortiOS 7.0  7.0.0 through 7.0.16  7.0.17 
FortiProxy 7.0  7.0.0 through 7.0.19  7.0.20 
FortiProxy 7.2  7.2.0 through 7.2.12  7.2.13 

 

Note: FortiOS 7.6, 7.4, 7.2, 6.4, and FortiProxy 7.6, 7.4, and 2.0 are unaffected by the vulnerability. 

Workarounds 

  • Disable HTTP/HTTPS administrative interface. 
  • Limit IP addresses that can reach the administrative interface via local-in policies. 
  • Note: FortiGuard PSIRT provides detailed steps on how to limit access to specific IP addresses in their advisory. 

References

Resources

Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster

 

Popular Topics
View all posts
Share this post:

What to read next

Back to Blog
Arctic Wolf Blog Featured Image
3 min read

Arctic Wolf Observes Social Engineering Campaign Targeting IT Staff of Healthcare Providers to Reset User Credentials

June 17, 2025

View Post
Arctic Wolf Blog Featured Image
4 min read

Pre-Authenticated RCE Chain Disclosed in Sitecore XP

June 17, 2025

View Post
Arctic Wolf Blog Featured Image
8 min read

Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer

June 13, 2025

View Post
Arctic Wolf Blog Featured Image
2 min read

Arctic Wolf Observes Organizations Receiving Unsolicited Microsoft MFA Messages

June 11, 2025

View Post