Intruvent Technologies
Contact us
9.6
Critical CVE Analysis CISA KEV TLP:CLEAR

CVE-2024-55591

FortiOS & FortiProxy Authentication Bypass via Node.js WebSocket

Critical authentication bypass vulnerability actively exploited since November 2024. Remote unauthenticated attackers gain super-admin privileges via the Node.js WebSocket module. CISA KEV listed.

9.6
CVSS Score
CWE-288
Auth Bypass
Nov 2024
Zero-Day Since
Jan 17
CISA KEV Added
Qilin
Ransomware Use
📄

Download Full Vulnerability Advisory

Complete technical analysis with IOCs, detection queries, remediation steps, and references.

1 Executive Summary

Active Zero-Day Exploitation

CVE-2024-55591 has been actively exploited since mid-November 2024, weeks before public disclosure. Threat actors are gaining super-admin privileges on FortiGate firewalls, creating rogue accounts, and using SSL VPN to tunnel into enterprise networks. CISA added this to the KEV catalog on January 17, 2025.

CVE-2024-55591 is an authentication bypass vulnerability in Fortinet FortiOS and FortiProxy. A remote, unauthenticated attacker can send specially crafted requests to the Node.js websocket module to gain super-admin privileges on vulnerable devices. This allows complete control over the firewall, including creating admin accounts, modifying policies, and enabling VPN access for lateral movement into internal networks.

Exploitation Impact

Create Admin Accounts
Add new super-admin users with random names
Create Local Users
Add local users to SSL VPN groups
Modify Firewall Policies
Change security rules for unauthorized access
Access SSL VPN
Tunnel into internal networks via created VPN accounts

2 Affected Products

Vulnerable Versions
Product Vulnerable Versions Fixed Version
FortiOS 7.0.0 through 7.0.16 7.0.17 or above
FortiProxy 7.0.0 through 7.0.19 7.0.20 or above
FortiProxy 7.2.0 through 7.2.12 7.2.13 or above
Not Affected

FortiOS 7.6.x, 7.4.x, 7.2.x, 6.4.x and FortiProxy 7.6.x, 7.4.x, 2.0.x are NOT vulnerable.

3 Exploitation Timeline

Arctic Wolf documented a coordinated attack campaign exploiting this vulnerability before public disclosure:

Nov 16-23, 2024
Scanning
Automated vulnerability scanning of internet-exposed FortiGate devices
Nov 22-27, 2024
Reconnaissance
Configuration enumeration and changes via jsconsole
Dec 4-7, 2024
Privilege Escalation
Creation of super-admin accounts with random usernames; hijacking existing accounts
Dec 16-27, 2024
Lateral Movement
Credential extraction; SSL VPN tunneling into internal networks
Jan 10, 2025
Public Disclosure
Arctic Wolf publishes campaign analysis
Jan 14, 2025
Vendor Advisory
Fortinet releases advisory FG-IR-24-535
Jan 17, 2025
CISA KEV
Added to Known Exploited Vulnerabilities catalog

4 Detection

Key indicators to identify exploitation attempts in your environment.

FortiGate Log Pattern - Suspicious jsconsole Activity

type="event" subtype="system" level="information"
logdesc="Admin login successful" user="Local_Process_Access"
ui="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success"

Note: The srcip and dstip values are attacker-controlled and spoofed. Do not rely on these IPs for attribution.

Behavioral Indicators

Unauthorized admin account creation
Monitor for new admin accounts with random/unusual usernames
Local user creation
Alert on new local users, especially those added to SSL VPN groups
Firewall policy changes
Audit configuration changes originating from jsconsole interface
SSL VPN tunnel creation
Monitor for VPN connections from newly created accounts
Unexpected jsconsole logins
Alert on jsconsole authentication events outside normal admin activity

FortiGate CLI - Check for Unauthorized Accounts

diagnose sys admin list          # Review for unexpected admin accounts
config system admin show         # Audit all admin accounts and creation dates
diagnose debug config-error-log read  # Check for configuration changes

Need More Detection Queries?

The full advisory includes additional log patterns and compromise assessment queries.

Download Full Advisory

5 Remediation

🚨
PATCH IMMEDIATELY
Active zero-day exploitation - CISA KEV listed
Patching Guidance
Product Current Version Upgrade To
FortiOS7.0.0 - 7.0.167.0.17 or above
FortiProxy7.0.0 - 7.0.197.0.20 or above
FortiProxy7.2.0 - 7.2.127.2.13 or above

Post-Compromise Actions

If exploitation is suspected or confirmed:

  1. Audit all admin accounts - Remove any unauthorized accounts immediately
  2. Audit local users - Check for users added to SSL VPN groups
  3. Review firewall policies - Identify and revert unauthorized changes
  4. Reset all admin credentials - Change passwords for all legitimate admin accounts
  5. Review VPN logs - Identify any unauthorized VPN tunnels
  6. Forensic investigation - Assess lateral movement into internal network

Active Threat Actor Exploitation

This vulnerability is being actively exploited by ransomware operators for initial access.

View Qilin Ransomware Profile

Related Reports

Critical CVE

CVE-2024-21762: FortiOS SSL VPN

Related FortiOS vulnerability often chained in attacks.

Critical Threat Actor

Qilin Ransomware

Qilin affiliates exploit this vulnerability for initial access.

High Hunting Guide

Qilin Hunting Guide

Detection rules and hunt procedures for Qilin ransomware.

🛡️

Track CVE-2024-55591 Exploitation with BRACE

BRACE delivers monthly threat intelligence covering this vulnerability and 500+ other exploited CVEs with detection rules and hunting playbooks for your sector.