Alert essentials:

A critical authentication bypass has been exploited in Fortinet products since November 2024.

CVE-2024-55591 is part of a campaign targeting publicly exposed management interfaces on FortiGate firewalls and should be patched or mitigated immediately.

 

Email Team

 

Detailed threat description:

Since November 2024, FortiOS and FortiProxy products have actively exploited an authentication bypass vulnerability using an alternate path or channel.

CVE-2024-55591 is a critical authentication bypass vulnerability that allows a remote attacker to gain super administrative (Super-Admin) privileges by making crafted requests to the Node.js web socket module.

After access is acquired, the attackers leverage the Fortinet CLI as ‘jsconsole’ and use loopback and other IPs with the ‘–userfrom’ switch to destroy the audit record. This technique enables altering system configurations and establishing secure VPN tunnels to access internal networks.

While public proof-of-concept exploits are currently available, the vulnerability is actively exploited. Fortinet is communicating with customers to provide guidance and coordinating with threat researchers as part of ongoing investigations.

Organizations using affected Fortinet products should immediately apply the available patches or implement recommended workarounds to mitigate the risk of exploitation.

Impacts on healthcare organizations:

This vulnerability poses a significant risk to organizations using affected Fortinet products, as it allows attackers to bypass authentication and gain full control over critical network infrastructure.

Leaving this vulnerability unpatched would compromise patient and operational safety. Therefore, healthcare organizations must prioritize timely patching of CVE-2024-55591 to maintain the integrity and security of their systems and protect patient care.

 

Recommendations


Engineering recommendations:

 

Leadership/ Program recommendations:

  • Conduct an urgent inventory of all Fortinet devices with the network team, focusing on FortiOS and FortiProxy products with vulnerable versions
    Enhance network segmentation
  • Perform a post-incident review after addressing the immediate threat
  • Stay informed about any new developments or recommendations from Fortinet and cybersecurity agencies regarding this vulnerability
  • Ensure your organization is prepared to respond quickly to any potential security incidents

 

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: