CVE-2024-55591
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication and gain super-admin privileges on affected Fortinet devices by sending crafted requests to the Node.js websocket module. It affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Organizations using these versions are at risk of complete system compromise.
💻 Affected Systems
- FortiOS
- FortiProxy
📦 What is this software?
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control, enabling data theft, network disruption, ransomware deployment, and persistent backdoor installation.
Likely Case
Attackers exploit this to establish initial access, escalate privileges, and move laterally within the network for further attacks.
If Mitigated
With proper network segmentation and monitoring, impact may be limited to isolated segments, but full compromise of the device is still possible.
🎯 Exploit Status
Exploitation is confirmed by CISA and Fortinet, with crafted requests allowing remote, unauthenticated attackers to gain super-admin access easily.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.0.17 or later, FortiProxy 7.0.20 or later, FortiProxy 7.2.13 or later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-535
Restart Required: Yes
Instructions:
1. Backup configuration. 2. Download and apply the patched version from Fortinet support. 3. Restart the device. 4. Verify the update and monitor for issues.
🔧 Temporary Workarounds
Disable Node.js Websocket Module
allIf possible, disable the vulnerable Node.js websocket module to block exploitation, but this may affect functionality.
Consult Fortinet documentation for specific disable commands; typically via CLI: 'config system global' and set relevant parameters.
Restrict Network Access
allLimit access to the device's management interfaces to trusted IPs only using firewall rules.
config firewall address
create trusted IP objects, then apply via 'config firewall policy' to restrict management access.
🧯 If You Can't Patch
- Isolate affected devices in a segmented network zone to limit lateral movement and monitor traffic closely.
- Implement strict access controls and multi-factor authentication for administrative accounts to reduce impact if compromised.
🔍 How to Verify
Check if Vulnerable:
Check the device version via CLI: 'get system status' and compare against affected ranges.Check Version:
get system statusVerify Fix Applied:
After patching, run 'get system status' to confirm version is 7.0.17+ for FortiOS or 7.0.20+/7.2.13+ for FortiProxy.📡 Detection & Monitoring
Log Indicators:
- Unusual websocket connection attempts, unexpected super-admin login events, or privilege escalation logs in system logs.
Network Indicators:
- Anomalous traffic to Node.js websocket ports, spikes in management interface requests from untrusted sources.
SIEM Query:
Example: 'source="fortinet" AND (event_type="authentication" AND result="success" AND user="super_admin") OR (protocol="websocket" AND dest_port=* AND action="blocked")'