Share This:

Cybersecurity Threat Advisory

A critical Fortinet authentication bypass vulnerability, CVE-2024-55591, is actively exploited in the wild. This vulnerability impacts FortiOS and FortiProxy, with a CVSS score of 9.6. Continue reading this Cybersecurity Threat Advisory to learn the necessary steps to protect your environment.

What is the threat?

The vulnerability enables attackers to bypass authentication mechanisms in FortiOS and FortiProxy, exploiting improper handling of certain requests. Threat actors can gain full administrative privileges on vulnerable devices by leveraging this flaw. This facilitates unauthorized changes, the creation of malicious admin accounts, and access to internal networks.

Why is it noteworthy?

This is particularly noteworthy because this vulnerability is linked to an ongoing zero-day campaign observed since November 2024, targeting Fortinet’s FortiGate firewalls. FortiOS and FortiProxy are used in different Fortinet products including firewalls, secure gateways, and SSL VPNs. Upon successful exploitation, attackers conduct reconnaissance, tamper with VPN access, or move laterally and compromise the environment.

What is the exposure or risk?

Successful exploitation of CVE-2024-55591 could lead to:

  1. System compromise: Attackers may gain unauthorized super-admin privileges, enabling them to control, manipulate, or extract data from the system.
  2. Network exposure: Gaining VPN access provides attackers with a pathway to penetrate internal networks for further malicious activities, including data theft and lateral movement.
  3. Disruption of business operations: Alterations to critical security configurations may result in degraded or entirely compromised operational security.
  4. Sensitive data exposure: Attackers exploiting the vulnerability could access confidential information, which might lead to regulatory violations or reputational damage.

What are the recommendations?

Barracuda recommends the following actions to limit the exposure of your environment from this vulnerability:

  • Upgrade to version 7.0.17 or above for FortiOS and version 7.2.13 or above for FortiProxy
  • Implement temporary workarounds to disable HTTP/HTTPS administrative interfaces where possible.
  • Apply local-in policies to limit IP addresses and restrict administrative access interfaces
  • Monitor and detect indicators of compromise (IoCs), using solutions such as Barracuda Managed XDR Network Security, for suspicious admin login activity or jsconsole-based sessions, and search for spoofed IPs like 1.1.1.1 and 8.8.8.8 or known attacker IPs including 45.55.158.47.
  • Review your environment for any anomalous user accounts, changes in SSL VPN configuration, and evidence of lateral movement as detailed in the Fortinet advisory.
  • Segregate critical resources from publicly accessible systems and limit unnecessary exposure of admin panels and other sensitive interfaces.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.


Share This:
Aniket Kapoor

Posted by Aniket Kapoor

Aniket is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Aniket supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *