Fortinet Patches Zero-Day Vulnerability Allowing Super-Admin Access

January 28, 2025

Fortinet has addressed a critical zero-day vulnerability that was being actively exploited in its FortiOS and FortiProxy products. The flaw, tracked as CVE-2024-55591, was described as an 'authentication bypass using an alternate path or channel vulnerability' that 'may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module,' according to a security advisory by FortiGuard Labs.

The company observed threat actors exploiting the flaw to perform various malicious activities, including creating admin and local user accounts with random usernames, modifying settings such as firewall policy, and gaining access to the internal network through the SSL VPN.

This vulnerability was first suspected when Arctic Wolf reported a series of attacks on FortiGate firewall devices earlier this month. The attackers were creating unauthorized administrative logins and making other configuration changes. Fortinet informed its customers about the issue and later released a patch to mitigate the flaw.

The flaw was found in the jsconsole functionality, a GUI feature used to execute CLI commands inside FortiOS's management interface. The vulnerability allowed attackers to add a new administrative account, according to watchTowr Labs. The researchers discovered that it was a combination of issues that led to one critical vulnerability, allowing attackers to gain super-admin access.

Fortinet devices are frequently targeted by threat actors, with vulnerabilities often exploited to not only breach devices but also use them as a point of entry to attack corporate networks. Organizations using the affected devices are advised to follow the appropriate update path or apply the workaround provided by Fortinet.

Fortinet also mentioned in its advisory that an attacker would generally need to know an admin account's username to perform the attack. However, since the targeted WebSocket is not itself an authentication point, attackers still have the possibility of brute-forcing the username to exploit the flaw.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.