Focus Mode
Threat Research

Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access Risk

Cyble
Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access Risk
Fortinet has issued a critical advisory for a severe authentication bypass vulnerability (CVE-2024-55591) affecting its FortiOS and FortiProxy products, enabling attackers to gain super-admin privileges. This flaw is actively exploited and has a high CVSSv3 score of 9.6. Organizations are urged to upgrade their systems immediately to mitigate risks. Affected: FortiOS, FortiProxy

Keypoints :

  • Fortinet released an advisory for CVE-2024-55591, a critical authentication bypass vulnerability.
  • The vulnerability affects FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19, among others.
  • Attackers can exploit this flaw to gain unauthorized super-admin access.
  • Malicious actions include creating user accounts, modifying firewall settings, and establishing SSL VPN tunnels.
  • Immediate upgrade to FortiOS 7.0.17 or later and FortiProxy 7.0.20 or later is recommended.
  • Monitoring for specific Indicators of Compromise (IoCs) is crucial for detection.
  • Organizations should implement mitigations if upgrades cannot be performed immediately.
  • Active exploitation of the vulnerability has been reported.
  • Best practices include enabling logging, conducting vulnerability scans, and adopting a Zero Trust approach.
  • Organizations must proactively address vulnerabilities to safeguard their infrastructure.

MITRE Techniques :

  • TA0001 – Initial Access: Exploitation of the vulnerability through malicious WebSocket requests.
  • TA0002 – Execution: Unauthorized execution of administrative commands after gaining access.
  • TA0003 – Persistence: Creation of unauthorized user accounts to maintain access.
  • TA0004 – Privilege Escalation: Gaining super-admin privileges through authentication bypass.
  • TA0005 – Defense Evasion: Using random usernames to evade detection during attacks.

Indicator of Compromise :

  • [IP Address] 45.55.158.47
  • [IP Address] 87.249.138.47
  • [IP Address] 155.133.4.175
  • [IP Address] 37.19.196.65
  • [IP Address] 149.22.94.37
  • Check the article for all found IoCs.

Full Research: https://cyble.com/blog/cve-2024-55591-the-fortinet-flaw-putting-critical-systems-at-risk/

Tags: VPN, FIREWALL, DEFENSE EVASION, VULNERABILITY, EXPLOIT, INITIAL ACCESS, PATCH, BROWSER