Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Members of public are advised to stay vigilant and not follow any instructions given by these scammers. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerability in FortiOS and FortiProxy
Alerts

Critical Vulnerability in FortiOS and FortiProxy

16 January 2025

Fortinet has released security updates addressing a critical authentication bypass vulnerability (CVE-2024-55591) affecting their FortiOS and FortiProxy products. There are reports that the vulnerability is being exploited in the wild.

Successful exploitation of this vulnerability could allow an attacker to gain super-admin privileges by sending crafted requests to a Node.js WebSocket module.

Indicators of Compromise (IOCs)

Fortinet has provided the following log entries and IP addresses as potential IOCs. Administrators are recommended to monitor system logs for IOCs, such as unauthorised administrative accounts, unrecognised configuration changes, or suspicious SSL VPN connections. 

Log Entries:

  • type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

  • type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Note: Fortinet has advised that sn and cfgtid are not relevant to the attack.

IP Addresses:

  • 45.55.158.47 (most common)

  • 87.249.138.47

  • 155.133.4.175

  • 37.19.196.65

  • 149.22.94.37

The vulnerability affects the following products:

  • FortiOS versions 7.0.0 through 7.0.16

  • FortiProxy versions 7.0.0 through 7.0.19  

  • FortiProxy versions 7.2.0 through 7.2.12

Users and administrators of affected product versions are advised to update to the latest versions immediately.

Additionally, users are recommended to implement the following mitigations if immediate upgrading is not feasible:

  1. Disable HTTP/HTTPS Administrative Interface to reduce exposure.

  2. Restrict access via local-in policies by limiting administrative access to trusted IPs.

More information is available here:

https://www.fortiguard.com/psirt/FG-IR-24-535

https://www.tenable.com/blog/cve-2024-55591-fortinet-authentication-bypass-zero-day-vulnerability-exploited-in-the-wild

https://nvd.nist.gov/vuln/detail/CVE-2024-55591