CVE-2024-55591

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.0.0 through 7.0.16 FortiProxy versions 7.0.0 through 7.0.19 FortiProxy versions 7.2.0 through 7.2.12

Description An authentication bypass issue exists in the Node.js websocket module of FortiOS and FortiProxy, where an attacker can use an alternate path or channel to circumvent security checks. By sending specially crafted HTTP requests to the Node.js websocket module or crafted CSF proxy requests, a remote attacker can escalate privileges to the super-admin level. This flaw has been exploited in real-world incidents by ransomware groups, including The Gentlemen and NightSpire, and was used in an attack against a manufacturing company to modify firewall policies, VPN settings, and API integrations before deploying RansomHub ransomware.

Recommendations For FortiOS versions 7.0.0 through 7.0.16, update to a version later than 7.0.16. For FortiProxy versions 7.0.0 through 7.0.19, update to a version later than 7.0.19. For FortiProxy versions 7.2.0 through 7.2.12, update to a version later than 7.2.12. As a temporary mitigation, restrict access to the Node.js websocket module and the CSF proxy to minimize the risk of exploitation.