Table of Contents
- Module 1 — Understanding Authentication Bypass
- Module 2 — CVE-2024-55591: The FortiOS / FortiProxy Vulnerability
- Module 3 — Timeline of Events
- Module 4 — Attack Chain Analysis
- Module 5 — Exposure and Scale
- Module 6 — Proof of Concept
- Module 7 — Indicators of Compromise (IoCs)
- Module 8 — Remediation and Mitigations
- Module 9 — Threat Hunting
- Module 10 — Proactive Security Best Practices
- Quick Reference Summary
- Primary References
Module 1 — Understanding Authentication Bypass
What Is Authentication Bypass?
Authentication bypass can potentially occur in any system that requires authentication. At a high level, authentication bypass occurs when:
- Access to a product or service is controlled by an authentication mechanism, and
- There is some weakness in the product or service that allows that mechanism to be circumvented or undermined.
That weakness can be located in:
- The authentication mechanism itself, or
- Another part of the product entirely.
Authentication bypass is usually caused by one or more of the following:
| Root Cause | Description |
|---|---|
| Poor implementation | The authentication logic is coded incorrectly, leaving gaps |
| Misconfiguration | The system is not configured to enforce authentication consistently |
| Vulnerability in the authenticated system | A bug or flaw that allows an attacker to reach a protected resource without credentials |
Key takeaway: Authentication bypass is not vendor-specific. Any vendor, any product, any system requiring authentication is a potential candidate.
CWE-288: Alternate Path Authentication Bypass
MITRE’s Common Weakness Enumeration database classifies this specific type of vulnerability as CWE-288: Authentication Bypass Using an Alternate Channel or Path.
CWE-288
Authentication Bypass Using an Alternate Channel or Path
Definition:
An effective authentication mechanism is in place to control access,
BUT there is another way to gain access that does NOT require
authentication.
The concept in plain terms:
- The “front door” is locked (normal authentication is enforced).
- The attacker finds a side door or back window that was never wired into the access control system.
- That alternate path is the attack vector.
graph TD
A[Attacker] -->|Normal path blocked| B[Authentication Mechanism\nFront Door]
A -->|CWE-288: Alternate path| C[Unprotected Channel\nSide Door / Back Window]
B -->|Valid credentials required| D[Protected Resource]
C -->|No authentication required| D
style B fill:#c0392b,color:#fff
style C fill:#e67e22,color:#fff
style D fill:#27ae60,color:#fff
In the case of FortiOS and FortiProxy, the alternate path is the Node.js WebSocket module.
Why Edge Appliances Are Particularly at Risk
Security edge appliances — firewalls, proxies, VPN concentrators — sit at the perimeter of the network. This creates a structural risk profile:
- They are internet-facing by design — which means any vulnerability is directly exploitable without internal network access.
- They typically run privileged operating systems with deep control over network traffic.
- Compromise gives attackers a foothold before any internal security controls are reached.
- Targeting of edge devices has been trending upward over the past several years.
Module 2 — CVE-2024-55591: The FortiOS / FortiProxy Vulnerability
Vulnerability Overview
| Field | Value |
|---|---|
| CVE ID | CVE-2024-55591 |
| Vendor | Fortinet |
| Affected Products | FortiOS, FortiProxy |
| CWE | CWE-288 (Authentication Bypass Using an Alternate Path) |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Disclosure Date | January 14, 2025 |
| Active Exploitation Since | Mid-November 2024 (estimated) |
What it enables:
An unauthenticated attacker can exploit a Node.js WebSocket module through specially crafted requests to potentially grant themselves super_admin privileges, giving them complete control over the compromised system.
FortiOS runs on the majority of Fortinet’s security fabric, meaning the blast radius of this vulnerability is extremely large.
Affected Products and Versions
FortiOS:
- 7.0.0 through 7.0.16 ← VULNERABLE
- 7.0.17 and above ← PATCHED
FortiProxy 7.0 branch:
- 7.0.0 through 7.0.19 ← VULNERABLE
- 7.0.20 and above ← PATCHED
FortiProxy 7.2 branch:
- 7.2.0 through 7.2.12 ← VULNERABLE
- 7.2.13 and above ← PATCHED
Note: This is a relatively narrow version range compared to some other CVEs, which have affected all supported versions.
CVSS Score and Risk Factors
The vulnerability scores 9.8 out of 10 (Critical). The contributing factors are:
graph LR
A[CVSS Score: 9.8 Critical]
A --> B[Attack Vector: Network\nDevice is internet-facing]
A --> C[Attack Complexity: Low\nExploitation is straightforward]
A --> D[Privileges Required: None\nNo credentials needed]
A --> E[User Interaction: None\nFully automated exploitation]
A --> F[Impact: HIGH\nConfidentiality + Integrity + Availability]
The combination of no required privileges, no user interaction, and high impact across all three security pillars (CIA triad) is what drives the near-perfect score.
The Node.js WebSocket Attack Vector
FortiOS and FortiProxy expose a Node.js WebSocket module as part of their web-based management interface. This module is the alternate path (per CWE-288) that bypasses the main authentication mechanism.
sequenceDiagram
participant Attacker
participant WebUI as Web Management Interface
participant NodeJS as Node.js WebSocket Module
participant OS as FortiOS / FortiProxy
Attacker->>WebUI: Normal login attempt
WebUI-->>Attacker: Authentication required
Note over Attacker,NodeJS: Attacker takes the alternate path
Attacker->>NodeJS: Specially crafted WebSocket request
NodeJS-->>OS: Passes request without authentication check
OS-->>Attacker: super_admin access granted
Attacker->>OS: Execute arbitrary commands
Module 3 — Timeline of Events
Key Dates
gantt
title CVE-2024-55591 Timeline
dateFormat YYYY-MM-DD
section Attack Campaign
Active exploitation begins (estimated) :milestone, 2024-11-16, 0d
Arctic Wolf begins monitoring :2024-12-01, 14d
Campaign peaks (new super_admin accounts) :2024-12-01, 30d
section Disclosure
Arctic Wolf initial advisory (limited info) :milestone, 2024-12-01, 0d
Arctic Wolf detailed analysis published :milestone, 2025-01-10, 0d
Fortinet discloses CVE-2024-55591 + patches :milestone, 2025-01-14, 0d
Censys initial scan (51 FortiProxy exposed) :milestone, 2025-01-17, 0d
Censys follow-up scan (35 FortiProxy, ~3M FortiOS) :milestone, 2025-02-06, 0d
Detailed sequence of events:
| Date | Event |
|---|---|
| ~November 16, 2024 | Attacks begin — attackers log into FortiGate management interfaces and begin reconnaissance |
| Early December 2024 | Arctic Wolf begins monitoring threat activity involving malicious use of management interfaces on FortiGate devices |
| Early December 2024 | Arctic Wolf issues basic cyber-hygiene advice with limited details |
| Early December 2024 | Attackers begin creating new super_admin accounts |
| January 10, 2025 | Arctic Wolf publishes detailed campaign analysis: unauthorized admin logins, new account creation, SSL VPN tunneling, configuration changes |
| January 14, 2025 | Fortinet discloses CVE-2024-55591, provides fixes, IoCs, recommendations, and mitigations |
| January 17, 2025 | Censys observes 51 exposed FortiProxy instances and ~3.5 million FortiOS-exposed devices |
| February 6, 2025 | Censys follow-up: 35 FortiProxy instances, ~3 million FortiOS instances — drop of ~500,000 devices |
Arctic Wolf’s detailed analysis (January 10, 2025) identified:
- Unauthorized administrative logins on management interfaces of firewalls
- Creation of new accounts
- SSL VPN authentication through those new accounts
- Various other configuration changes
- The attacks appeared to have started around mid-November or earlier
- The initial access vector was initially unclear beyond “unauthorized management interface logins”
Four days after Arctic Wolf’s detailed analysis, Fortinet disclosed the vulnerability — confirming CVE-2024-55591 as the initial access vector.
The FortiGate Configuration Data Leak: A Separate Issue
Around the same time, reports circulated about a FortiGate firewall configuration data leak. This caused significant confusion in the security community but is a completely separate issue.
| CVE-2024-55591 | FortiGate Config Data Leak | |
|---|---|---|
| Related CVE | CVE-2024-55591 | CVE-2022-40684 |
| Type | Authentication bypass via WebSocket | Configuration data leak |
| When disclosed | January 2025 | October 2022 |
| Data involved | N/A (access, not leak) | IP addresses, passwords, configs for ~15,000 devices worldwide (excluding Iran) |
| Related? | No | No |
CVE-2022-40684 was exploited in at least one attack, and the stolen data — containing configurations from ~15,000 Fortinet devices — was published publicly around the same time as the CVE-2024-55591 disclosure, creating confusion. They are unrelated incidents.
Module 4 — Attack Chain Analysis
Overview of the Four Stages
The attacks followed four distinct stages, all mappable to MITRE ATT&CK tactics, techniques, and procedures (TTPs):
flowchart LR
S1["Stage 1\nReconnaissance &\nVulnerability Scanning"]
S2["Stage 2\nUnauthorized Admin Access\n& Config Changes"]
S3["Stage 3\nPersistence &\nLateral Movement Setup"]
S4["Stage 4\nCredential Extraction\nvia DCSync"]
S1 --> S2 --> S3 --> S4
style S1 fill:#8e44ad,color:#fff
style S2 fill:#c0392b,color:#fff
style S3 fill:#e67e22,color:#fff
style S4 fill:#16a085,color:#fff
Stage 1: Reconnaissance and Vulnerability Scanning
- Attackers logged into FortiGate management interfaces by exploiting CVE-2024-55591 via the Node.js WebSocket module.
- Early reconnaissance activity included changing the output setting from
standardtomoreto gather additional system information.
# Command observed via jsconsole during reconnaissance
# Changing output pager to gather more system information
config system console
set output more
end
Stage 2: Unauthorized Administrative Access and Configuration Changes
Using access gained via the exploit, attackers used jsconsole (the CLI accessible through the web management interface) to make configuration changes:
- Created new
super_adminaccounts (starting in early December 2024). - Created as many as six new local user accounts per device.
- Added those local accounts to existing groups that victim organizations had created for SSL VPN access.
- In some cases, rather than creating new accounts, hijacked existing accounts and placed them into groups with VPN privileges.
- Set up new SSL VPN portals and added compromised user accounts directly to those portals.
Stage 3: Persistence and Lateral Movement Setup
Once all required configuration changes were made, attackers established SSL VPN tunnels to the affected devices using the newly created or hijacked accounts.
graph TD
A[Exploit CVE-2024-55591\nWebSocket → super_admin] --> B[Create/Hijack Admin Accounts]
B --> C[Create up to 6 local users per device]
C --> D[Add local users to SSL VPN groups]
D --> E[Create new SSL VPN portals\nor add users to existing ones]
E --> F[Establish SSL VPN tunnels\nto victim devices]
F --> G[Persistent access achieved]
Stage 4: Credential Extraction via DCSync
The campaign reached its peak when attackers used their SSL VPN access to extract credentials for lateral movement via a technique called DCSync.
DCSync is an attack that abuses Active Directory replication protocols to extract password hashes from a domain controller without ever logging into it directly.
DCSync Attack Flow:
1. Attacker with SSL VPN access reaches internal network
2. Uses compromised credentials with replication privileges
3. Requests AD replication from Domain Controller
4. Domain Controller sends password hashes
5. Attacker cracks hashes or uses them in Pass-the-Hash attacks
Ultimate objectives remain unclear: The attackers wiped their tracks and vanished from compromised environments before proceeding to the next stage, so their final goals are not known.
The Role of jsconsole
Like most next-generation firewalls, FortiGate products allow administrators to access the command-line interface (CLI) through the web-based management interface. In FortiGate’s case, this is implemented using jsconsole.
flowchart LR
A[Node.js WebSocket\nExploit\nCVE-2024-55591] -->|Bypass authentication| B[Web Management\nInterface]
B -->|Access granted via| C[jsconsole\nCLI in browser]
C -->|Executes| D[FortiOS CLI commands\nConfig changes\nAccount creation\nReconnaissance]
- The Node.js WebSocket module was exploited to gain access to the management interface.
- The management interface, in turn, gave access to the command-line interface via jsconsole.
- Attackers used jsconsole extensively to make all observed configuration changes.
Attack Flow Diagram
sequenceDiagram
participant ATK as Attacker
participant FW as FortiGate Firewall\n(FortiOS 7.0.0-7.0.16)
participant MGMT as Web Mgmt Interface
participant JCON as jsconsole (CLI)
participant VPN as SSL VPN
participant INT as Internal Network
participant DC as Domain Controller
Note over ATK,DC: Stage 1 — Reconnaissance
ATK->>FW: Exploit CVE-2024-55591\n(crafted WebSocket request)
FW-->>ATK: super_admin access granted
ATK->>JCON: set output more (gather system info)
Note over ATK,DC: Stage 2 — Configuration Changes
ATK->>JCON: Create new super_admin account
ATK->>JCON: Create up to 6 local user accounts
ATK->>JCON: Add users to existing SSL VPN groups
ATK->>JCON: Create/modify SSL VPN portals
Note over ATK,DC: Stage 3 — Establishing Persistence
ATK->>VPN: Authenticate via newly created accounts
VPN-->>ATK: SSL VPN tunnel established
Note over ATK,DC: Stage 4 — Lateral Movement
ATK->>INT: Access internal network via VPN
ATK->>DC: DCSync attack (credential extraction)
DC-->>ATK: Password hashes extracted
ATK->>ATK: Wipe tracks and exit
Module 5 — Exposure and Scale
Censys Scan Data
Censys is an internet scanning platform that continuously maps exposed services across the internet. Two scans were conducted at different points in the investigation:
Scan 1 — January 17, 2025:
| Product | Exposed Instances |
|---|---|
| FortiProxy | 51 |
| FortiOS | ~3,500,000 |
Scan 2 — February 6, 2025 (approximately 3 weeks later):
| Product | Exposed Instances | Change |
|---|---|---|
| FortiProxy | 35 | -16 (~31% reduction) |
| FortiOS | ~3,000,000 | -500,000 (~14% reduction) |
Geographic Distribution
- The majority of exposed devices are located in North America and Europe.
- Approximately 16% of FortiOS devices are located in the United States.
- Approximately one-third of FortiProxy devices are located in the United States.
pie title FortiOS Device Distribution (Approximate)
"United States" : 16
"Rest of North America" : 14
"Europe" : 40
"Asia-Pacific" : 20
"Rest of World" : 10
What the Numbers Do Not Tell Us
Critical caveat: The Censys scans show total internet-exposed devices running FortiOS or FortiProxy, not the number of devices running a vulnerable version.
A more targeted Censys query filtering for vulnerable versions only (as of February 6, 2025) showed:
- Only 128 vulnerable internet-exposed devices remained
- Approximately 10% located in the United States
However, this does not account for devices that were:
- Already compromised and taken offline
- Remediated (patched or access restricted) without attribution
- Unknown — devices in the ~500,000 that disappeared between scans
The key question is: how many of those ~500,000 devices that went offline were potentially compromised between mid-November 2024 and January 17, 2025?
Module 6 — Proof of Concept
A working proof-of-concept (PoC) exploit is publicly available on GitHub.
PoC Script Usage
The PoC is a Python script that accepts the following arguments:
python3 CVE-2024-55591-PoC.py \
--target <IP_ADDRESS> \
--port <PORT> \
--command "<FORTIOS_CLI_COMMAND>" \
--username <NEW_SUPER_ADMIN_USERNAME> \
--ssl
| Argument | Description |
|---|---|
--target | IP address of the target FortiGate management interface |
--port | Port running the web management interface (typically 443) |
--command | FortiOS CLI command to execute upon gaining access |
--username | Username for the new super_admin account to be created |
--ssl | Use SSL connection (required for port 443) |
Demo Walkthrough
The demo was performed against a FortiGate running FortiOS 7.0.16 (one of the vulnerable versions).
Before exploitation — baseline state:
- Users: one user
guestin theguestgroup - Administrators: one user
adminwith thesuper_adminprofile - Event log: last event was a successful
adminlogin
Exploitation:
# Clone the PoC
git clone https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591.git
cd fortios-auth-bypass-poc-CVE-2024-55591
# Run the exploit
python3 CVE-2024-55591-PoC.py \
--target 192.168.1.1 \
--port 443 \
--command "get system status" \
--username fakeUser \
--ssl
Result: The exploit ran and the get system status command produced output — confirming successful unauthenticated execution.
After exploitation — changes observed in management interface:
- Event log shows a successful login from user
fakeUser fakeUserhas thesuper_adminprofile- Login source:
jsconsole
Event Log Entry (post-exploitation):
User: fakeUser
Profile: super_admin
Source: jsconsole
Action: Login successful
The entire attack from running the script to gaining
super_adminaccess takes only seconds.
Module 7 — Indicators of Compromise (IoCs)
Arctic Wolf and FortiGuard have identified multiple indicators of compromise that organizations can use to assess their environments.
IP Address Anomalies
The attackers spoofed source and destination IP addresses during their operations, often using:
- The loopback interface address (
127.0.0.1) - Google DNS server addresses (
8.8.8.8,8.8.4.4) - Cloudflare DNS server addresses (
1.1.1.1,1.0.0.1)
What to look for:
1. Login events where the source IP or destination IP is:
- 127.0.0.1 (loopback)
- 8.8.8.8 or 8.8.4.4 (Google DNS)
- 1.1.1.1 or 1.0.0.1 (Cloudflare DNS)
2. Login events where source IP == destination IP
(same address used for both source and destination)
Account and Group Activity
3. Admin creation logs showing:
- Same unusual source IP addresses as above
- Randomly generated usernames (e.g., random strings, not human-readable)
4. Local user creation logs showing:
- Randomly generated usernames
5. User group changes:
- New user groups created
- New local users added to existing SSL VPN user groups
SSL VPN Indicators
6. SSL VPN logs showing:
- Tunnel establishment by newly created users with randomly generated names
- VPN connections to the internal network from unfamiliar accounts
Known Attacker Infrastructure
Five external IP addresses were identified as being used by the attackers. The most frequently observed was:
45.55.158.47
Look for any outbound communications or connections from your firewall or internal hosts to these IP addresses.
The use of only five VPS (Virtual Private Server) addresses by the attacker is unusual and represents an opportunity to detect the campaign — a small, finite pool of infrastructure is easier to identify and block.
IoC Summary Diagram
graph TD
IOC[Indicators of Compromise]
IOC --> IP[IP Address Anomalies]
IOC --> ACC[Account Activity]
IOC --> VPN[SSL VPN Logs]
IOC --> EXT[External Infrastructure]
IP --> IP1[Source = Loopback 127.0.0.1]
IP --> IP2[Source = Google/Cloudflare DNS]
IP --> IP3[Source IP == Destination IP]
ACC --> ACC1[Admin creation from unusual IPs]
ACC --> ACC2[Randomly generated admin usernames]
ACC --> ACC3[Randomly generated local usernames]
ACC --> ACC4[New users added to SSL VPN groups]
VPN --> VPN1[Random-username accounts\nestablishing VPN tunnels]
VPN --> VPN2[New SSL VPN portals created]
EXT --> EXT1[45.55.158.47\nmost common attacker IP]
EXT --> EXT2[4 additional attacker IPs]
Module 8 — Remediation and Mitigations
Patching
Patching is the primary and recommended remediation. The following versions address CVE-2024-55591:
FortiOS:
Upgrade to 7.0.17 or above
FortiProxy 7.0 branch:
Upgrade to 7.0.20 or above
FortiProxy 7.2 branch:
Upgrade to 7.2.13 or above
Reference: FortiGuard PSIRT advisory FG-IR-24-535
Workarounds When Patching Is Not Immediately Possible
If patching cannot be performed immediately, two workarounds can reduce the risk. Both have operational trade-offs:
Workaround 1: Disable the HTTP/HTTPS web-based admin interface
Impact: Cannot manage the firewall via the web interface
Benefit: Removes the attack surface entirely
Risk reduction: HIGH (eliminates the exploitable endpoint)
Operational impact: HIGH (admins must use alternative methods)
Workaround 2: Limit IP addresses that can reach the admin interface
Impact: Only specific approved IPs can reach the management interface
Benefit: Still allows web-based management in a controlled way
Risk reduction: MEDIUM to HIGH (depends on access control implementation)
Operational impact: LOWER (admins from approved IPs can still work)
Requirement: Must be actively monitored to ensure ongoing authorized access
FortiGuard provides detailed instructions for implementing IP access restrictions. See the FG-IR-24-535 advisory for specifics.
Remediation Decision Flow
flowchart TD
A[Device running vulnerable\nFortiOS or FortiProxy?] -->|Yes| B[Can you patch immediately?]
A -->|No| Z[No action required]
B -->|Yes| C[Upgrade to fixed version\nFortiOS ≥ 7.0.17\nFortiProxy 7.0 ≥ 7.0.20\nFortiProxy 7.2 ≥ 7.2.13]
B -->|No| D[Apply workaround]
D --> E{Which workaround?}
E --> F[Option 1: Disable HTTP/HTTPS\nadmin interface entirely\nHighest risk reduction\nHighest operational impact]
E --> G[Option 2: Restrict admin interface\nto approved IPs only\nBalanced approach\nRequires active monitoring]
C --> H[Hunt for signs of prior compromise\nCheck logs before patching window]
F --> H
G --> H
H --> I[Review IoCs\nCheck login, admin creation,\nSSL VPN logs]
Module 9 — Threat Hunting
Given that this vulnerability has been actively exploited since at least mid-November 2024, organizations must actively hunt for signs of prior compromise — do not assume a clean environment simply because a patch has been applied.
Where to Look
Log Sources to Review:
1. Login logs (management interface)
2. Admin creation logs
3. SSL VPN logs
4. Local user creation logs
5. User group modification logs
6. Network traffic logs / firewall logs
Threat Hunting Checklist
graph TD
START[Begin Threat Hunt] --> L1
L1[Review Login Logs] --> L1A{Unusual source/dest IPs?\n127.0.0.1, 8.8.8.8, 1.1.1.1?}
L1A -->|Yes| FLAG1[FLAG: Potential unauthorized access]
L1A -->|No| L2
L2[Review Admin Creation Logs] --> L2A{Same unusual IPs?\nRandomly generated usernames?}
L2A -->|Yes| FLAG2[FLAG: New unauthorized admin accounts]
L2A -->|No| L3
L3[Review Local User Creation Logs] --> L3A{Randomly generated usernames?}
L3A -->|Yes| FLAG3[FLAG: Unauthorized local accounts]
L3A -->|No| L4
L4[Review Group Membership Logs] --> L4A{New users added to\nSSL VPN groups?}
L4A -->|Yes| FLAG4[FLAG: Unauthorized VPN access setup]
L4A -->|No| L5
L5[Review SSL VPN Logs] --> L5A{Random-username accounts\nestablishing tunnels?}
L5A -->|Yes| FLAG5[FLAG: Active unauthorized VPN use]
L5A -->|No| L6
L6[Check Network Traffic] --> L6A{Connections to/from\n45.55.158.47 or other\nattacker IPs?}
L6A -->|Yes| FLAG6[FLAG: Communication with attacker infrastructure]
L6A -->|No| CLEAN[No obvious IoCs found\nContinue routine monitoring]
FLAG1 & FLAG2 & FLAG3 & FLAG4 & FLAG5 & FLAG6 --> IR[Initiate Incident Response]
Specific items to search for:
- Login activity with loopback, Google DNS, or Cloudflare DNS as source or destination
- Admin creation logs where source IP = destination IP
- Randomly generated usernames in admin creation and local user creation logs
- New user groups, or new local users added to existing SSL VPN groups
- SSL VPN tunnel establishment by randomly named users
- Communications with
45.55.158.47and up to four additional attacker IPs
Arctic Wolf was able to identify this campaign early specifically because external monitoring was already in place for unexpected firewall configuration changes. This is a key lesson.
Module 10 — Proactive Security Best Practices
Regardless of vendor, these best practices apply to all organizations running edge appliances and network security infrastructure.
Admin Account Hardening
Use non-standard, non-guessable admin usernames.
In some attacks (this one included), an attacker needs to know an admin account’s username to perform the attack. A non-standard username provides some protection.
Default (avoid): admin
Better: fw-mgr-01
Even better: Use a naming convention known only internally,
not documented publicly
Caveat: In the case of CVE-2024-55591, the Node.js WebSocket is not an authentication point, so nothing would stop an attacker from brute-forcing the username. Hardening helps but is not a complete control here.
External Network Scanning
Conduct routine scanning of external networks to detect:
- New IP addresses that have appeared unexpectedly
- New ports that have opened on known devices
- Services that should not be internet-facing
This should be ongoing, not a one-time exercise.
Asset Inventory
Maintain an accurate, up-to-date asset inventory that includes:
For each device:
- Physical or logical location
- Security significance / criticality
- Which ports should be open
- What software is running and at what version
- What the device is authorized to do
When a CVE like this drops, an accurate inventory means you can immediately answer:
- Do we have any affected devices?
- How many?
- Where are they?
- Are they patched?
Without this, the incident response process begins with a days-long discovery exercise before remediation can even start.
Monitoring and Alert Rules
Review and update monitoring and alert rules to detect:
- Unexpected configuration changes (creation of new admin accounts, modification of SSL VPN groups)
- IP address anomalies (source = destination, loopback as source, DNS IPs as source)
- Impossible login patterns (logins from addresses that should not be able to reach the management interface)
Arctic Wolf identified this attack campaign early specifically because external monitoring was already in place for unexpected firewall configuration changes. This is a concrete example of monitoring paying off.
Threat Intelligence
Stay on top of the evolving threat landscape. This is challenging, but the effort can be scaled to the organization:
graph TD
TI[Threat Intelligence Program]
TI --> S[Sector Awareness\nWhat threats target your industry?]
TI --> TA[Threat Actor Profiling\nWhich actors are likely to target you?\nWhat TTPs do they use?]
TI --> PROD[Product Advisories\nSign up for security advisories\nfor every product in your environment]
TI --> TREND[Security Trends\nEdge device targeting is trending up]
TI --> SCALE[Scale to Organization Size]
SCALE --> LARGE[Large org / critical infrastructure\nDedicated threat intelligence team]
SCALE --> SMALL[Smaller org\nAssign activities to security/IT team members\nMonthly review meeting]
The framework for threat intelligence:
- Identify the sector you work in — which threat actors commonly target it?
- Understand the common TTPs used by those actors — can you defend against them?
- Know what software products are in your environment — subscribe to security advisories for each.
- Monitor security trends — edge device targeting has been increasing year-over-year.
- Match the investment level to the organization’s risk appetite (established by the board).
Additionally: Practice your incident response. Developing “muscle memory” for incident response procedures means that when an event occurs, the team can execute efficiently rather than improvising under pressure.
Quick Reference Summary
graph TD
CVE["CVE-2024-55591\nCritical — CVSS 9.8"]
CVE --> WHAT[What: Authentication bypass\nvia Node.js WebSocket module\nCWE-288]
CVE --> WHO[Who: Fortinet FortiOS + FortiProxy\nVersions 7.0.0-7.0.16 FortiOS\n7.0.0-7.0.19 / 7.2.0-7.2.12 FortiProxy]
CVE --> WHEN[When: Exploited since ~Nov 16, 2024\nDisclosed Jan 14, 2025]
CVE --> IMPACT[Impact: super_admin access\nConfig changes, VPN access,\nDCSync credential theft]
CVE --> FIX[Fix]
FIX --> PATCH[Patch:\nFortiOS ≥ 7.0.17\nFortiProxy 7.0 ≥ 7.0.20\nFortiProxy 7.2 ≥ 7.2.13]
FIX --> WA[Workarounds:\nDisable web admin interface\nOR restrict to trusted IPs]
CVE --> HUNT[Hunt for IoCs]
HUNT --> LOGS[Check: Login logs\nAdmin creation logs\nSSL VPN logs]
HUNT --> IPS[Watch for: 127.0.0.1, DNS IPs,\nsame src=dst, 45.55.158.47]
HUNT --> ACCTS[Watch for: Random usernames\nNew VPN groups/users]
| Item | Detail |
|---|---|
| CVE | CVE-2024-55591 |
| CVSS | 9.8 (Critical) |
| CWE | CWE-288 (Alternate Path Authentication Bypass) |
| Affected | FortiOS 7.0.0-7.0.16, FortiProxy 7.0.0-7.0.19, FortiProxy 7.2.0-7.2.12 |
| Fixed versions | FortiOS 7.0.17+, FortiProxy 7.0 → 7.0.20+, FortiProxy 7.2 → 7.2.13+ |
| Exploit path | Node.js WebSocket module → management interface → jsconsole |
| Privileges required | None |
| User interaction | None |
| Impact | super_admin access, config changes, VPN persistence, DCSync |
| Active since | ~November 16, 2024 |
| PoC available | Yes (public, GitHub) |
| Key IoC | Login from 127.0.0.1, same src=dst IP, random usernames, 45.55.158.47 |
Primary References
-
Arctic Wolf Console Chaos Campaign Analysis: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
-
FortiGuard PSIRT Advisory FG-IR-24-535:
-
CVE Record — CVE-2024-55591:
-
Censys — CVE-2024-55591 Exposure: https://censys.com/cve-2024-55591/
-
Censys — FortiGate Config Leak Impact: https://censys.com/fortigate-config-leak-impact/
-
The Hacker News — Zero-Day Vulnerability Suspected: https://thehackernews.com/2025/01/zero-day-vulnerability-suspected-in.html
-
Bleeping Computer — FortiGate Config and VPN Credential Leak (15,000 devices):
-
DoublePulsar — 2022 Zero-Day Used to Raid FortiGate Firewall Configs: https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-configs-somebody-just-released-them-a7a74e0b0c7f
-
Proof of Concept (PoC) — WatchTower Labs on GitHub: https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591/blob/main/CVE-2024-55591-PoC.py
Search Terms
authentication · bypass · security · edge · know · vulnerability · briefings · networking · systems · stage · attack · threat · account · configuration · data · diagram · flow · hunting · indicators · patching · remediation · risk · scanning