Alert Essentials:
Attackers are actively compromising networks using FortiOS vulnerabilities.
Upgrade devices or mitigate immediately.
Detailed Threat Description:
Two critical authentication bypasses in FortiOS have been reported, and one is under active exploitation. CVE-2024-55591 provides a bypass to remote attackers via crafted requests to the Node.js web socket module and has been added to the CISA Known Exploited List (KEV). This vulnerability has been spotted in the wild since December 2024 and is still under exploitation.
CVE-2025-24472 allows remote attackers to gain super privileges with crafted ConfigServer Firewall (CSF) proxy requests. Although this flaw has not yet been seen in active campaigns, the potential for its use is significant.
Fortinet recommends immediate device updates and provides IoCs for customer investigations. However, if a customer previously upgraded based on the January 2025 guidance in FG-IR-24-535 / CVE-2024-55591, they are already protected against the newly disclosed CVE-2025-24472.
Impacts on Healthcare Organizations:
These threats pose significant risks to healthcare networks due to their potential to allow unauthorized access to critical systems.
Attackers exploiting these vulnerabilities could gain super-admin access to Fortinet appliances, potentially exposing Electronic Health Records (EHRs), Personally Identifiable Information (PII), and Protected Health Information (PHI), resulting in fines and loss of patient trust.
Healthcare network defenders must act quickly to patch vulnerabilities, restrict access, and enhance monitoring to prevent devastating consequences from these security flaws.
Affected Products / Versions:
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | Not affected | Not Applicable |
| FortiOS 7.4 | Not affected | Not Applicable |
| FortiOS 7.2 | Not affected | Not Applicable |
| FortiOS 7.0 | 7.0.0 through 7.0.16 | Upgrade to 7.0.17 or above |
| FortiOS 6.4 | Not affected | Not Applicable |
CVEs
CVE-2024-55591 – CWE-288 – (CVSS 9.6)
CVE-2025-24472 – CWE-288 – (CVSS 8.1)
Possible Indicators of Compromise (IoCs)
Following login activity log with random scrip and dstip:
type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”1733486785″ user=”admin” ui=”jsconsole” method=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from jsconsole”
Following admin creation log with seemingly randomly generated username and source IP:
type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add” cfgtid=1411317760 cfgpath=”system.admin” cfgobj=”vOcep” cfgattr=”password[*]accprofile[super_admin]vdom[root]” msg=”Add system.admin vOcep”
- *sn and cfgtid are not relevant to the attack
The logs above mostly contain IP addresses used by attackers. These IP parameters are not the actual source IP addresses of the attack traffic; they are generated arbitrarily by the attacker as a parameter. Because of this, they should not be used for any blocking.
- 1.1.1.1
- 127.0.0.1
- 2.2.2.2
- 8.8.8.8
- 8.8.4.4
The threat actor has been seen using these IP addresses
- 45.55.158.47 [most used IP address]
- 87.249.138.47
- 155.133.4.175
- 37.19.196.65
- 149.22.94.37
An admin or local user created by the threat actor is randomly generated as one of the following:
- Gujhmk
- Ed8x4k
- G0xgey
- Pvnw81
- Alg7c4
- Ypda8a
- Kmi8p4
- 1a2n6t
- 8ah1t6
- M4ix9f
Recommendations:
Engineering Recommendations:
- Update to patched versions
- Disable HTTP/HTTPS administrative interface
- Workarounds are available in the FortiGuard PSIRT
- Disable Security Fabric from the CLI
- Verify that firewall management interfaces are not exposed to the internet
- Regularly review system logs for unauthorized login attempts, unexpected configuration changes, or the creation of unknown user accounts
- Tenable plugin for investigation is #214072: Fortinet FortiGate Authentication bypass in Node.js websocket module and CSF requests (FG-IR-24-535)
Leadership/Program Recommendations:
- Implement best practices for network security, such as using VPNs for administrative access and enforcing strong authentication mechanisms
- Deploy a network intrusion system to monitor for unusual activity
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CISecurity: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-fortinet-products-could-allow-for-remote-code-execution_2025-017
- FortiOS Hardening: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/81327170-6878-11ea-9384-00505692583a/FortiOS-6.4.0-Hardening_your_FortiGate.pdf
- Fortinet PSIRT: https://fortiguard.fortinet.com/psirt/FG-IR-24-535
- Fortinet Upgrade Tool: https://docs.fortinet.com/upgrade-tool/fortigate
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-55591
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-24472
