The Digital Security Authority (DSA) wants to bring to your attention an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16, FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allowing a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Technical Details
The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:
- Creating an admin account on the device with random user name
- Creating a Local user account on the device with random user name
- Creating a user group or adding the above local user to an existing sslvpn user group
- Adding/changing other settings (firewall policy, firewall address, ...)
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.
Affected Products:
FortiOS 7.0: 7.0.0 through 7.0.16
FortiProxy 7.2: 7.2.0 through 7.2.12
FortiProxy 7.0: 7.0.0 through 7.0.19
Recommendations
The Digital Security Authority recommends updating the affected versions to the fixed or latest versions released by Fortinet:
FortiOS 7.0: 7.0.0 through 7.0.16 Upgrade to 7.0.17 or above
FortiProxy 7.2: 7.2.0 through 7.2.12 Upgrade to 7.2.13 or above
FortiProxy 7.0: 7.0.0 through 7.0.19 Upgrade to 7.0.20 or above
References
- https://fortiguard.fortinet.com/psirt/FG-IR-24-535
- https://www.cve.org/CVERecord?id=CVE-2024-55591
- https://nvd.nist.gov/vuln/detail/CVE-2024-55591
The information presented in this report is based on available data up to the 14th of January 2025.