Fortinet FortiOS Authentication Bypass Under Active Exploitation

What happened: Fortinet confirmed active exploitation of CVE-2024-55591, a critical authentication bypass vulnerability in FortiOS and FortiProxy. Attackers are using crafted requests to the Node.js websocket module to obtain super-admin privileges on affected devices, enabling full control of the firewall infrastructure.

Technical details: The vulnerability exploits an alternative path or channel flaw (CWE-288) in the Node.js websocket module of FortiOS and FortiProxy. Attackers send specially crafted requests to gain super-admin access, then create new admin accounts, modify firewall policies, establish SSL VPN tunnel connections, and pivot into internal networks. Arctic Wolf reported observing exploitation campaigns dating back to November 2024.

Who is affected: Organizations running FortiOS versions 7.0.0 through 7.0.16 or FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 with management interfaces exposed to the internet. This impacts enterprises and managed service providers heavily reliant on Fortinet for perimeter security.

What defenders should do: Upgrade to FortiOS 7.0.17 or above, FortiProxy 7.0.20 or above, or FortiProxy 7.2.13 or above immediately. As a workaround, disable HTTP/HTTPS administrative interface access from the internet. Review admin accounts for unauthorized additions. Audit firewall policy changes and VPN configurations for signs of compromise.

Broader implications: This is the latest in a series of critical vulnerabilities affecting Fortinet products. The repeated targeting of edge security devices by nation-state actors demonstrates that perimeter devices remain a primary attack vector, and organizations must treat their management interfaces as high-value targets requiring strict access controls.