A critical zero-day vulnerability in Fortinet’s FortiOS and FortiProxy products is being actively exploited by hackers to gain super-admin privileges on affected devices.
The authentication bypass flaw, tracked as CVE-2024-55591, allows remote attackers to execute unauthorized code or commands via crafted requests to the Node.js websocket module.
Fortinet confirmed the exploitation of this vulnerability in the wild, urging users to take immediate action. The affected versions include FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19.
Security researchers at Arctic Wolf first observed suspicious activity related to this vulnerability in mid-November 2024.
The attack campaign progressed through four phases: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement.
The threat actors have been seen using various IP addresses, with 45.55.158.47 being the most frequently used.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Other observed IPs include:-
Indicators of compromise include unauthorized administrative logins, creation of new accounts with random usernames, and various configuration changes.
The attackers have been observed creating both admin and local user accounts, adding users to SSL VPN groups, and modifying firewall policies.
Fortinet recommends users upgrade to the latest patched versions:-
For those unable to update immediately, Fortinet has provided workaround steps, including disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can access the administrative interface via local-in policies.
Organizations using affected Fortinet products are strongly advised to check for signs of compromise and take necessary mitigation steps to protect their networks from potential breaches.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
As California grapples with devastating wildfires, communities are rallying to protect lives and property. Unfortunately,…
AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August 2024…
Botnets are the networks of compromised devices that have evolved significantly since the internet's inception.…
The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to develop…
A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web applications.…
A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress,…