Advanced

Authentication Bypass at the Security Edge: What You Should Know

Once all required configuration changes were made, attackers established SSL VPN tunnels to the affected devices using the newly created or hijacked accounts.

Table of Contents

  1. Module 1 — Understanding Authentication Bypass
  2. Module 2 — CVE-2024-55591: The FortiOS / FortiProxy Vulnerability
  3. Module 3 — Timeline of Events
  4. Module 4 — Attack Chain Analysis
  5. Module 5 — Exposure and Scale
  6. Module 6 — Proof of Concept
  7. Module 7 — Indicators of Compromise (IoCs)
  8. Module 8 — Remediation and Mitigations
  9. Module 9 — Threat Hunting
  10. Module 10 — Proactive Security Best Practices
  11. Quick Reference Summary
  12. Primary References

Module 1 — Understanding Authentication Bypass

What Is Authentication Bypass?

Authentication bypass can potentially occur in any system that requires authentication. At a high level, authentication bypass occurs when:

  • Access to a product or service is controlled by an authentication mechanism, and
  • There is some weakness in the product or service that allows that mechanism to be circumvented or undermined.

That weakness can be located in:

  • The authentication mechanism itself, or
  • Another part of the product entirely.

Authentication bypass is usually caused by one or more of the following:

Root CauseDescription
Poor implementationThe authentication logic is coded incorrectly, leaving gaps
MisconfigurationThe system is not configured to enforce authentication consistently
Vulnerability in the authenticated systemA bug or flaw that allows an attacker to reach a protected resource without credentials

Key takeaway: Authentication bypass is not vendor-specific. Any vendor, any product, any system requiring authentication is a potential candidate.


CWE-288: Alternate Path Authentication Bypass

MITRE’s Common Weakness Enumeration database classifies this specific type of vulnerability as CWE-288: Authentication Bypass Using an Alternate Channel or Path.

CWE-288
Authentication Bypass Using an Alternate Channel or Path

Definition:
  An effective authentication mechanism is in place to control access,
  BUT there is another way to gain access that does NOT require
  authentication.

The concept in plain terms:

  • The “front door” is locked (normal authentication is enforced).
  • The attacker finds a side door or back window that was never wired into the access control system.
  • That alternate path is the attack vector.
graph TD
    A[Attacker] -->|Normal path blocked| B[Authentication Mechanism\nFront Door]
    A -->|CWE-288: Alternate path| C[Unprotected Channel\nSide Door / Back Window]
    B -->|Valid credentials required| D[Protected Resource]
    C -->|No authentication required| D
    style B fill:#c0392b,color:#fff
    style C fill:#e67e22,color:#fff
    style D fill:#27ae60,color:#fff

In the case of FortiOS and FortiProxy, the alternate path is the Node.js WebSocket module.


Why Edge Appliances Are Particularly at Risk

Security edge appliances — firewalls, proxies, VPN concentrators — sit at the perimeter of the network. This creates a structural risk profile:

  • They are internet-facing by design — which means any vulnerability is directly exploitable without internal network access.
  • They typically run privileged operating systems with deep control over network traffic.
  • Compromise gives attackers a foothold before any internal security controls are reached.
  • Targeting of edge devices has been trending upward over the past several years.

Module 2 — CVE-2024-55591: The FortiOS / FortiProxy Vulnerability

Vulnerability Overview

FieldValue
CVE IDCVE-2024-55591
VendorFortinet
Affected ProductsFortiOS, FortiProxy
CWECWE-288 (Authentication Bypass Using an Alternate Path)
CVSS Score9.8 (Critical)
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
Disclosure DateJanuary 14, 2025
Active Exploitation SinceMid-November 2024 (estimated)

What it enables:

An unauthenticated attacker can exploit a Node.js WebSocket module through specially crafted requests to potentially grant themselves super_admin privileges, giving them complete control over the compromised system.

FortiOS runs on the majority of Fortinet’s security fabric, meaning the blast radius of this vulnerability is extremely large.


Affected Products and Versions

FortiOS:
  - 7.0.0 through 7.0.16  ← VULNERABLE
  - 7.0.17 and above       ← PATCHED

FortiProxy 7.0 branch:
  - 7.0.0 through 7.0.19  ← VULNERABLE
  - 7.0.20 and above       ← PATCHED

FortiProxy 7.2 branch:
  - 7.2.0 through 7.2.12  ← VULNERABLE
  - 7.2.13 and above       ← PATCHED

Note: This is a relatively narrow version range compared to some other CVEs, which have affected all supported versions.


CVSS Score and Risk Factors

The vulnerability scores 9.8 out of 10 (Critical). The contributing factors are:

graph LR
    A[CVSS Score: 9.8 Critical]
    A --> B[Attack Vector: Network\nDevice is internet-facing]
    A --> C[Attack Complexity: Low\nExploitation is straightforward]
    A --> D[Privileges Required: None\nNo credentials needed]
    A --> E[User Interaction: None\nFully automated exploitation]
    A --> F[Impact: HIGH\nConfidentiality + Integrity + Availability]

The combination of no required privileges, no user interaction, and high impact across all three security pillars (CIA triad) is what drives the near-perfect score.


The Node.js WebSocket Attack Vector

FortiOS and FortiProxy expose a Node.js WebSocket module as part of their web-based management interface. This module is the alternate path (per CWE-288) that bypasses the main authentication mechanism.

sequenceDiagram
    participant Attacker
    participant WebUI as Web Management Interface
    participant NodeJS as Node.js WebSocket Module
    participant OS as FortiOS / FortiProxy

    Attacker->>WebUI: Normal login attempt
    WebUI-->>Attacker: Authentication required

    Note over Attacker,NodeJS: Attacker takes the alternate path

    Attacker->>NodeJS: Specially crafted WebSocket request
    NodeJS-->>OS: Passes request without authentication check
    OS-->>Attacker: super_admin access granted
    Attacker->>OS: Execute arbitrary commands

Module 3 — Timeline of Events

Key Dates

gantt
    title CVE-2024-55591 Timeline
    dateFormat  YYYY-MM-DD
    section Attack Campaign
    Active exploitation begins (estimated)      :milestone, 2024-11-16, 0d
    Arctic Wolf begins monitoring               :2024-12-01, 14d
    Campaign peaks (new super_admin accounts)   :2024-12-01, 30d
    section Disclosure
    Arctic Wolf initial advisory (limited info) :milestone, 2024-12-01, 0d
    Arctic Wolf detailed analysis published     :milestone, 2025-01-10, 0d
    Fortinet discloses CVE-2024-55591 + patches :milestone, 2025-01-14, 0d
    Censys initial scan (51 FortiProxy exposed) :milestone, 2025-01-17, 0d
    Censys follow-up scan (35 FortiProxy, ~3M FortiOS) :milestone, 2025-02-06, 0d

Detailed sequence of events:

DateEvent
~November 16, 2024Attacks begin — attackers log into FortiGate management interfaces and begin reconnaissance
Early December 2024Arctic Wolf begins monitoring threat activity involving malicious use of management interfaces on FortiGate devices
Early December 2024Arctic Wolf issues basic cyber-hygiene advice with limited details
Early December 2024Attackers begin creating new super_admin accounts
January 10, 2025Arctic Wolf publishes detailed campaign analysis: unauthorized admin logins, new account creation, SSL VPN tunneling, configuration changes
January 14, 2025Fortinet discloses CVE-2024-55591, provides fixes, IoCs, recommendations, and mitigations
January 17, 2025Censys observes 51 exposed FortiProxy instances and ~3.5 million FortiOS-exposed devices
February 6, 2025Censys follow-up: 35 FortiProxy instances, ~3 million FortiOS instances — drop of ~500,000 devices

Arctic Wolf’s detailed analysis (January 10, 2025) identified:

  • Unauthorized administrative logins on management interfaces of firewalls
  • Creation of new accounts
  • SSL VPN authentication through those new accounts
  • Various other configuration changes
  • The attacks appeared to have started around mid-November or earlier
  • The initial access vector was initially unclear beyond “unauthorized management interface logins”

Four days after Arctic Wolf’s detailed analysis, Fortinet disclosed the vulnerability — confirming CVE-2024-55591 as the initial access vector.


The FortiGate Configuration Data Leak: A Separate Issue

Around the same time, reports circulated about a FortiGate firewall configuration data leak. This caused significant confusion in the security community but is a completely separate issue.

CVE-2024-55591FortiGate Config Data Leak
Related CVECVE-2024-55591CVE-2022-40684
TypeAuthentication bypass via WebSocketConfiguration data leak
When disclosedJanuary 2025October 2022
Data involvedN/A (access, not leak)IP addresses, passwords, configs for ~15,000 devices worldwide (excluding Iran)
Related?NoNo

CVE-2022-40684 was exploited in at least one attack, and the stolen data — containing configurations from ~15,000 Fortinet devices — was published publicly around the same time as the CVE-2024-55591 disclosure, creating confusion. They are unrelated incidents.


Module 4 — Attack Chain Analysis

Overview of the Four Stages

The attacks followed four distinct stages, all mappable to MITRE ATT&CK tactics, techniques, and procedures (TTPs):

flowchart LR
    S1["Stage 1\nReconnaissance &\nVulnerability Scanning"]
    S2["Stage 2\nUnauthorized Admin Access\n& Config Changes"]
    S3["Stage 3\nPersistence &\nLateral Movement Setup"]
    S4["Stage 4\nCredential Extraction\nvia DCSync"]

    S1 --> S2 --> S3 --> S4

    style S1 fill:#8e44ad,color:#fff
    style S2 fill:#c0392b,color:#fff
    style S3 fill:#e67e22,color:#fff
    style S4 fill:#16a085,color:#fff

Stage 1: Reconnaissance and Vulnerability Scanning

  • Attackers logged into FortiGate management interfaces by exploiting CVE-2024-55591 via the Node.js WebSocket module.
  • Early reconnaissance activity included changing the output setting from standard to more to gather additional system information.
# Command observed via jsconsole during reconnaissance
# Changing output pager to gather more system information
config system console
  set output more
end

Stage 2: Unauthorized Administrative Access and Configuration Changes

Using access gained via the exploit, attackers used jsconsole (the CLI accessible through the web management interface) to make configuration changes:

  • Created new super_admin accounts (starting in early December 2024).
  • Created as many as six new local user accounts per device.
  • Added those local accounts to existing groups that victim organizations had created for SSL VPN access.
  • In some cases, rather than creating new accounts, hijacked existing accounts and placed them into groups with VPN privileges.
  • Set up new SSL VPN portals and added compromised user accounts directly to those portals.

Stage 3: Persistence and Lateral Movement Setup

Once all required configuration changes were made, attackers established SSL VPN tunnels to the affected devices using the newly created or hijacked accounts.

graph TD
    A[Exploit CVE-2024-55591\nWebSocket → super_admin] --> B[Create/Hijack Admin Accounts]
    B --> C[Create up to 6 local users per device]
    C --> D[Add local users to SSL VPN groups]
    D --> E[Create new SSL VPN portals\nor add users to existing ones]
    E --> F[Establish SSL VPN tunnels\nto victim devices]
    F --> G[Persistent access achieved]

Stage 4: Credential Extraction via DCSync

The campaign reached its peak when attackers used their SSL VPN access to extract credentials for lateral movement via a technique called DCSync.

DCSync is an attack that abuses Active Directory replication protocols to extract password hashes from a domain controller without ever logging into it directly.

DCSync Attack Flow:
  1. Attacker with SSL VPN access reaches internal network
  2. Uses compromised credentials with replication privileges
  3. Requests AD replication from Domain Controller
  4. Domain Controller sends password hashes
  5. Attacker cracks hashes or uses them in Pass-the-Hash attacks

Ultimate objectives remain unclear: The attackers wiped their tracks and vanished from compromised environments before proceeding to the next stage, so their final goals are not known.


The Role of jsconsole

Like most next-generation firewalls, FortiGate products allow administrators to access the command-line interface (CLI) through the web-based management interface. In FortiGate’s case, this is implemented using jsconsole.

flowchart LR
    A[Node.js WebSocket\nExploit\nCVE-2024-55591] -->|Bypass authentication| B[Web Management\nInterface]
    B -->|Access granted via| C[jsconsole\nCLI in browser]
    C -->|Executes| D[FortiOS CLI commands\nConfig changes\nAccount creation\nReconnaissance]
  • The Node.js WebSocket module was exploited to gain access to the management interface.
  • The management interface, in turn, gave access to the command-line interface via jsconsole.
  • Attackers used jsconsole extensively to make all observed configuration changes.

Attack Flow Diagram

sequenceDiagram
    participant ATK as Attacker
    participant FW as FortiGate Firewall\n(FortiOS 7.0.0-7.0.16)
    participant MGMT as Web Mgmt Interface
    participant JCON as jsconsole (CLI)
    participant VPN as SSL VPN
    participant INT as Internal Network
    participant DC as Domain Controller

    Note over ATK,DC: Stage 1 — Reconnaissance
    ATK->>FW: Exploit CVE-2024-55591\n(crafted WebSocket request)
    FW-->>ATK: super_admin access granted
    ATK->>JCON: set output more (gather system info)

    Note over ATK,DC: Stage 2 — Configuration Changes
    ATK->>JCON: Create new super_admin account
    ATK->>JCON: Create up to 6 local user accounts
    ATK->>JCON: Add users to existing SSL VPN groups
    ATK->>JCON: Create/modify SSL VPN portals

    Note over ATK,DC: Stage 3 — Establishing Persistence
    ATK->>VPN: Authenticate via newly created accounts
    VPN-->>ATK: SSL VPN tunnel established

    Note over ATK,DC: Stage 4 — Lateral Movement
    ATK->>INT: Access internal network via VPN
    ATK->>DC: DCSync attack (credential extraction)
    DC-->>ATK: Password hashes extracted
    ATK->>ATK: Wipe tracks and exit

Module 5 — Exposure and Scale

Censys Scan Data

Censys is an internet scanning platform that continuously maps exposed services across the internet. Two scans were conducted at different points in the investigation:

Scan 1 — January 17, 2025:

ProductExposed Instances
FortiProxy51
FortiOS~3,500,000

Scan 2 — February 6, 2025 (approximately 3 weeks later):

ProductExposed InstancesChange
FortiProxy35-16 (~31% reduction)
FortiOS~3,000,000-500,000 (~14% reduction)

Geographic Distribution

  • The majority of exposed devices are located in North America and Europe.
  • Approximately 16% of FortiOS devices are located in the United States.
  • Approximately one-third of FortiProxy devices are located in the United States.
pie title FortiOS Device Distribution (Approximate)
    "United States" : 16
    "Rest of North America" : 14
    "Europe" : 40
    "Asia-Pacific" : 20
    "Rest of World" : 10

What the Numbers Do Not Tell Us

Critical caveat: The Censys scans show total internet-exposed devices running FortiOS or FortiProxy, not the number of devices running a vulnerable version.

A more targeted Censys query filtering for vulnerable versions only (as of February 6, 2025) showed:

  • Only 128 vulnerable internet-exposed devices remained
  • Approximately 10% located in the United States

However, this does not account for devices that were:

  • Already compromised and taken offline
  • Remediated (patched or access restricted) without attribution
  • Unknown — devices in the ~500,000 that disappeared between scans

The key question is: how many of those ~500,000 devices that went offline were potentially compromised between mid-November 2024 and January 17, 2025?


Module 6 — Proof of Concept

A working proof-of-concept (PoC) exploit is publicly available on GitHub.


PoC Script Usage

The PoC is a Python script that accepts the following arguments:

python3 CVE-2024-55591-PoC.py \
  --target <IP_ADDRESS> \
  --port <PORT> \
  --command "<FORTIOS_CLI_COMMAND>" \
  --username <NEW_SUPER_ADMIN_USERNAME> \
  --ssl
ArgumentDescription
--targetIP address of the target FortiGate management interface
--portPort running the web management interface (typically 443)
--commandFortiOS CLI command to execute upon gaining access
--usernameUsername for the new super_admin account to be created
--sslUse SSL connection (required for port 443)

Demo Walkthrough

The demo was performed against a FortiGate running FortiOS 7.0.16 (one of the vulnerable versions).

Before exploitation — baseline state:

  • Users: one user guest in the guest group
  • Administrators: one user admin with the super_admin profile
  • Event log: last event was a successful admin login

Exploitation:

# Clone the PoC
git clone https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591.git
cd fortios-auth-bypass-poc-CVE-2024-55591

# Run the exploit
python3 CVE-2024-55591-PoC.py \
  --target 192.168.1.1 \
  --port 443 \
  --command "get system status" \
  --username fakeUser \
  --ssl

Result: The exploit ran and the get system status command produced output — confirming successful unauthenticated execution.

After exploitation — changes observed in management interface:

  • Event log shows a successful login from user fakeUser
  • fakeUser has the super_admin profile
  • Login source: jsconsole
Event Log Entry (post-exploitation):
  User:     fakeUser
  Profile:  super_admin
  Source:   jsconsole
  Action:   Login successful

The entire attack from running the script to gaining super_admin access takes only seconds.


Module 7 — Indicators of Compromise (IoCs)

Arctic Wolf and FortiGuard have identified multiple indicators of compromise that organizations can use to assess their environments.


IP Address Anomalies

The attackers spoofed source and destination IP addresses during their operations, often using:

  • The loopback interface address (127.0.0.1)
  • Google DNS server addresses (8.8.8.8, 8.8.4.4)
  • Cloudflare DNS server addresses (1.1.1.1, 1.0.0.1)

What to look for:

1. Login events where the source IP or destination IP is:
   - 127.0.0.1 (loopback)
   - 8.8.8.8 or 8.8.4.4 (Google DNS)
   - 1.1.1.1 or 1.0.0.1 (Cloudflare DNS)

2. Login events where source IP == destination IP
   (same address used for both source and destination)

Account and Group Activity

3. Admin creation logs showing:
   - Same unusual source IP addresses as above
   - Randomly generated usernames (e.g., random strings, not human-readable)

4. Local user creation logs showing:
   - Randomly generated usernames

5. User group changes:
   - New user groups created
   - New local users added to existing SSL VPN user groups

SSL VPN Indicators

6. SSL VPN logs showing:
   - Tunnel establishment by newly created users with randomly generated names
   - VPN connections to the internal network from unfamiliar accounts

Known Attacker Infrastructure

Five external IP addresses were identified as being used by the attackers. The most frequently observed was:

45.55.158.47

Look for any outbound communications or connections from your firewall or internal hosts to these IP addresses.

The use of only five VPS (Virtual Private Server) addresses by the attacker is unusual and represents an opportunity to detect the campaign — a small, finite pool of infrastructure is easier to identify and block.


IoC Summary Diagram

graph TD
    IOC[Indicators of Compromise]

    IOC --> IP[IP Address Anomalies]
    IOC --> ACC[Account Activity]
    IOC --> VPN[SSL VPN Logs]
    IOC --> EXT[External Infrastructure]

    IP --> IP1[Source = Loopback 127.0.0.1]
    IP --> IP2[Source = Google/Cloudflare DNS]
    IP --> IP3[Source IP == Destination IP]

    ACC --> ACC1[Admin creation from unusual IPs]
    ACC --> ACC2[Randomly generated admin usernames]
    ACC --> ACC3[Randomly generated local usernames]
    ACC --> ACC4[New users added to SSL VPN groups]

    VPN --> VPN1[Random-username accounts\nestablishing VPN tunnels]
    VPN --> VPN2[New SSL VPN portals created]

    EXT --> EXT1[45.55.158.47\nmost common attacker IP]
    EXT --> EXT2[4 additional attacker IPs]

Module 8 — Remediation and Mitigations

Patching

Patching is the primary and recommended remediation. The following versions address CVE-2024-55591:

FortiOS:
  Upgrade to 7.0.17 or above

FortiProxy 7.0 branch:
  Upgrade to 7.0.20 or above

FortiProxy 7.2 branch:
  Upgrade to 7.2.13 or above

Reference: FortiGuard PSIRT advisory FG-IR-24-535


Workarounds When Patching Is Not Immediately Possible

If patching cannot be performed immediately, two workarounds can reduce the risk. Both have operational trade-offs:

Workaround 1: Disable the HTTP/HTTPS web-based admin interface

Impact: Cannot manage the firewall via the web interface
Benefit: Removes the attack surface entirely
Risk reduction: HIGH (eliminates the exploitable endpoint)
Operational impact: HIGH (admins must use alternative methods)

Workaround 2: Limit IP addresses that can reach the admin interface

Impact: Only specific approved IPs can reach the management interface
Benefit: Still allows web-based management in a controlled way
Risk reduction: MEDIUM to HIGH (depends on access control implementation)
Operational impact: LOWER (admins from approved IPs can still work)
Requirement: Must be actively monitored to ensure ongoing authorized access

FortiGuard provides detailed instructions for implementing IP access restrictions. See the FG-IR-24-535 advisory for specifics.


Remediation Decision Flow

flowchart TD
    A[Device running vulnerable\nFortiOS or FortiProxy?] -->|Yes| B[Can you patch immediately?]
    A -->|No| Z[No action required]

    B -->|Yes| C[Upgrade to fixed version\nFortiOS ≥ 7.0.17\nFortiProxy 7.0 ≥ 7.0.20\nFortiProxy 7.2 ≥ 7.2.13]
    B -->|No| D[Apply workaround]

    D --> E{Which workaround?}
    E --> F[Option 1: Disable HTTP/HTTPS\nadmin interface entirely\nHighest risk reduction\nHighest operational impact]
    E --> G[Option 2: Restrict admin interface\nto approved IPs only\nBalanced approach\nRequires active monitoring]

    C --> H[Hunt for signs of prior compromise\nCheck logs before patching window]
    F --> H
    G --> H
    H --> I[Review IoCs\nCheck login, admin creation,\nSSL VPN logs]

Module 9 — Threat Hunting

Given that this vulnerability has been actively exploited since at least mid-November 2024, organizations must actively hunt for signs of prior compromise — do not assume a clean environment simply because a patch has been applied.

Where to Look

Log Sources to Review:
  1. Login logs (management interface)
  2. Admin creation logs
  3. SSL VPN logs
  4. Local user creation logs
  5. User group modification logs
  6. Network traffic logs / firewall logs

Threat Hunting Checklist

graph TD
    START[Begin Threat Hunt] --> L1

    L1[Review Login Logs] --> L1A{Unusual source/dest IPs?\n127.0.0.1, 8.8.8.8, 1.1.1.1?}
    L1A -->|Yes| FLAG1[FLAG: Potential unauthorized access]
    L1A -->|No| L2

    L2[Review Admin Creation Logs] --> L2A{Same unusual IPs?\nRandomly generated usernames?}
    L2A -->|Yes| FLAG2[FLAG: New unauthorized admin accounts]
    L2A -->|No| L3

    L3[Review Local User Creation Logs] --> L3A{Randomly generated usernames?}
    L3A -->|Yes| FLAG3[FLAG: Unauthorized local accounts]
    L3A -->|No| L4

    L4[Review Group Membership Logs] --> L4A{New users added to\nSSL VPN groups?}
    L4A -->|Yes| FLAG4[FLAG: Unauthorized VPN access setup]
    L4A -->|No| L5

    L5[Review SSL VPN Logs] --> L5A{Random-username accounts\nestablishing tunnels?}
    L5A -->|Yes| FLAG5[FLAG: Active unauthorized VPN use]
    L5A -->|No| L6

    L6[Check Network Traffic] --> L6A{Connections to/from\n45.55.158.47 or other\nattacker IPs?}
    L6A -->|Yes| FLAG6[FLAG: Communication with attacker infrastructure]
    L6A -->|No| CLEAN[No obvious IoCs found\nContinue routine monitoring]

    FLAG1 & FLAG2 & FLAG3 & FLAG4 & FLAG5 & FLAG6 --> IR[Initiate Incident Response]

Specific items to search for:

  • Login activity with loopback, Google DNS, or Cloudflare DNS as source or destination
  • Admin creation logs where source IP = destination IP
  • Randomly generated usernames in admin creation and local user creation logs
  • New user groups, or new local users added to existing SSL VPN groups
  • SSL VPN tunnel establishment by randomly named users
  • Communications with 45.55.158.47 and up to four additional attacker IPs

Arctic Wolf was able to identify this campaign early specifically because external monitoring was already in place for unexpected firewall configuration changes. This is a key lesson.


Module 10 — Proactive Security Best Practices

Regardless of vendor, these best practices apply to all organizations running edge appliances and network security infrastructure.


Admin Account Hardening

Use non-standard, non-guessable admin usernames.

In some attacks (this one included), an attacker needs to know an admin account’s username to perform the attack. A non-standard username provides some protection.

Default (avoid):    admin
Better:             fw-mgr-01
Even better:        Use a naming convention known only internally,
                    not documented publicly

Caveat: In the case of CVE-2024-55591, the Node.js WebSocket is not an authentication point, so nothing would stop an attacker from brute-forcing the username. Hardening helps but is not a complete control here.


External Network Scanning

Conduct routine scanning of external networks to detect:

  • New IP addresses that have appeared unexpectedly
  • New ports that have opened on known devices
  • Services that should not be internet-facing

This should be ongoing, not a one-time exercise.


Asset Inventory

Maintain an accurate, up-to-date asset inventory that includes:

For each device:
  - Physical or logical location
  - Security significance / criticality
  - Which ports should be open
  - What software is running and at what version
  - What the device is authorized to do

When a CVE like this drops, an accurate inventory means you can immediately answer:

  • Do we have any affected devices?
  • How many?
  • Where are they?
  • Are they patched?

Without this, the incident response process begins with a days-long discovery exercise before remediation can even start.


Monitoring and Alert Rules

Review and update monitoring and alert rules to detect:

  • Unexpected configuration changes (creation of new admin accounts, modification of SSL VPN groups)
  • IP address anomalies (source = destination, loopback as source, DNS IPs as source)
  • Impossible login patterns (logins from addresses that should not be able to reach the management interface)

Arctic Wolf identified this attack campaign early specifically because external monitoring was already in place for unexpected firewall configuration changes. This is a concrete example of monitoring paying off.


Threat Intelligence

Stay on top of the evolving threat landscape. This is challenging, but the effort can be scaled to the organization:

graph TD
    TI[Threat Intelligence Program]

    TI --> S[Sector Awareness\nWhat threats target your industry?]
    TI --> TA[Threat Actor Profiling\nWhich actors are likely to target you?\nWhat TTPs do they use?]
    TI --> PROD[Product Advisories\nSign up for security advisories\nfor every product in your environment]
    TI --> TREND[Security Trends\nEdge device targeting is trending up]

    TI --> SCALE[Scale to Organization Size]
    SCALE --> LARGE[Large org / critical infrastructure\nDedicated threat intelligence team]
    SCALE --> SMALL[Smaller org\nAssign activities to security/IT team members\nMonthly review meeting]

The framework for threat intelligence:

  1. Identify the sector you work in — which threat actors commonly target it?
  2. Understand the common TTPs used by those actors — can you defend against them?
  3. Know what software products are in your environment — subscribe to security advisories for each.
  4. Monitor security trends — edge device targeting has been increasing year-over-year.
  5. Match the investment level to the organization’s risk appetite (established by the board).

Additionally: Practice your incident response. Developing “muscle memory” for incident response procedures means that when an event occurs, the team can execute efficiently rather than improvising under pressure.


Quick Reference Summary

graph TD
    CVE["CVE-2024-55591\nCritical — CVSS 9.8"]

    CVE --> WHAT[What: Authentication bypass\nvia Node.js WebSocket module\nCWE-288]
    CVE --> WHO[Who: Fortinet FortiOS + FortiProxy\nVersions 7.0.0-7.0.16 FortiOS\n7.0.0-7.0.19 / 7.2.0-7.2.12 FortiProxy]
    CVE --> WHEN[When: Exploited since ~Nov 16, 2024\nDisclosed Jan 14, 2025]
    CVE --> IMPACT[Impact: super_admin access\nConfig changes, VPN access,\nDCSync credential theft]

    CVE --> FIX[Fix]
    FIX --> PATCH[Patch:\nFortiOS ≥ 7.0.17\nFortiProxy 7.0 ≥ 7.0.20\nFortiProxy 7.2 ≥ 7.2.13]
    FIX --> WA[Workarounds:\nDisable web admin interface\nOR restrict to trusted IPs]

    CVE --> HUNT[Hunt for IoCs]
    HUNT --> LOGS[Check: Login logs\nAdmin creation logs\nSSL VPN logs]
    HUNT --> IPS[Watch for: 127.0.0.1, DNS IPs,\nsame src=dst, 45.55.158.47]
    HUNT --> ACCTS[Watch for: Random usernames\nNew VPN groups/users]
ItemDetail
CVECVE-2024-55591
CVSS9.8 (Critical)
CWECWE-288 (Alternate Path Authentication Bypass)
AffectedFortiOS 7.0.0-7.0.16, FortiProxy 7.0.0-7.0.19, FortiProxy 7.2.0-7.2.12
Fixed versionsFortiOS 7.0.17+, FortiProxy 7.0 → 7.0.20+, FortiProxy 7.2 → 7.2.13+
Exploit pathNode.js WebSocket module → management interface → jsconsole
Privileges requiredNone
User interactionNone
Impactsuper_admin access, config changes, VPN persistence, DCSync
Active since~November 16, 2024
PoC availableYes (public, GitHub)
Key IoCLogin from 127.0.0.1, same src=dst IP, random usernames, 45.55.158.47

Primary References


Search Terms

authentication · bypass · security · edge · know · vulnerability · briefings · networking · systems · stage · attack · threat · account · configuration · data · diagram · flow · hunting · indicators · patching · remediation · risk · scanning

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.