A new zero-day vulnerability (CVE-2024-55591) in FortiOS and FortiProxy allows attackers to hijack Fortinet firewalls, gaining super-admin privileges and compromising enterprise networks. The exploitation involves creating unauthorized admin accounts and modifying firewall settings. Organizations are urged to disable public management access. Affected: FortiOS, FortiProxy
Keypoints :
- A zero-day vulnerability (CVE-2024-55591) affects FortiOS and FortiProxy versions.
- Attackers can gain super-admin privileges through malicious requests to the Node.js websocket module.
- Compromised devices have unauthorized admin users created and added to SSL VPN groups.
- Attackers modify firewall policies and settings to access internal networks.
- Fortinet advises disabling public management access to mitigate risks.
- Cybersecurity firm Arctic Wolf reports on the ongoing exploitation campaign.
- The campaign includes phases of vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement.
- Common indicators of compromise (IoCs) have been identified for monitoring attacks.
MITRE Techniques :
- T1078: Valid Accounts – Attackers create unauthorized admin accounts to gain access.
- T1071: Application Layer Protocol – Use of SSL VPN for tunneling into the internal network.
- T1203: Exploitation for Client Execution – Exploitation of the zero-day vulnerability for unauthorized access.
- T1070: Indicator Removal on Host – Attackers may modify logs to hide their activities.
Indicator of Compromise :
- [IP Address] 1.1.1.1
- [IP Address] 127.0.0.1
- [IP Address] 2.2.2.2
- [IP Address] 8.8.8.8
- [IP Address] 8.8.4.4
- Check the article for all found IoCs.
Full Research: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-auth-bypass-zero-day-exploited-to-hijack-firewalls/