UPDATED ON 12/02/2025: 

Should be noted that this flaw added to FG-IR-24-535 is not a zero-day and was already fixed in January. 

Tracked as CVE-2025-24472 

Description: 

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. 

CVSS Score: 8.1 High 

This advisory indicates that both flaws were exploited in attacks and even includes a workaround for the new CSF proxy requests exploitation pathway, Fortinet says that only CVE-2024-55591 was exploited. 

if a customer has already upgraded based on the guidance in FG-IR-24-535 / CVE-2024-55591, then they are already protected against the newly disclosed vulnerability. 

Below contains updated work arounds from the original post, for those who have not patched yet.  

 

Summary 

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. 

Tracked as CVE-2024-55591 is an ‘authentication bypass’ vulnerability with a CVSSv3 score of 9.6, marking it as critical vulnerability. FortiOS is the operating system for Fortinet products, including Fortinet SSLVPNs and 'Next-Gen' Firewalls (NGFW). and FortiProxy is a secure web gateway that includes advanced filtering and inspection. 

It should be taken into consideration that reports show this is being exploited in the wild. 

Affected Versions 

Version 

Affected 

Solution 

FortiOS 7.6 

Not affected 

Not Applicable 

FortiOS 7.4 

Not affected 

Not Applicable 

FortiOS 7.2 

Not affected 

Not Applicable 

FortiOS 7.0 

7.0.0 through 7.0.16 

Upgrade to 7.0.17 or above  

FortiOS 6.4 

Not affected 

Not Applicable 

FortiProxy 7.6 

Not affected 

Not Applicable 

FortiProxy 7.4 

Not affected 

Not Applicable 

FortiProxy 7.2 

7.2.0 through 7.2.12 

Upgrade to 7.2.13 or above  

FortiProxy 7.0 

7.0.0 through 7.0.19 

Upgrade to 7.0.20 or above  

FortiProxy 2.0 

Not affected 

Not Applicable 

 

Recommendations 

It is recommended that those with affected versions of FortiOS and FortiProxy upgrade immediately to the patched version by following the recommended upgrade path using the Fortinet Tool: https://docs.fortinet.com/upgrade-tool 

Additionally, organisations are strongly encouraged to perform a compromise assessment by hunting for the indicators of compromise detailed in this advisory. 

Workarounds 

Temporary Workaround 1: 

Disable HTTP/HTTPS administrative interface 

 

Temporary Workaround 2: 

Limit IP addresses that can reach the administrative interface via local-in policies: 

config firewall address 
edit "my_allowed_addresses" 
set subnet  
end 

Then create an Address Group: 

config firewall addrgrp 
edit "MGMT_IPs" 
set member "my_allowed_addresses" 
end 

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): 

config firewall local-in-policy 
edit 1 
set intf port1 
set srcaddr "MGMT_IPs" 
set dstaddr "all" 
set action accept 
set service HTTPS HTTP 
set schedule "always" 
set status enable 
next 

 

edit 2 
set intf "all" 
set srcaddr "all" 
set dstaddr "all" 
set action deny 
set service HTTPS HTTP 
set schedule "always" 
set status enable 
end 

If using non default ports, create appropriate service object for GUI administrative access: 

config firewall service custom 
edit GUI_HTTPS 
set tcp-portrange 443 
next 

 

edit GUI_HTTP 
set tcp-portrange 80 
end 

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below. 

Please note: that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround. 

UPDATED: 

Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username. 

Please contact customer support for assistance. 

CSF requests issue: 

Disable Security Fabric from the CLI: 

Config system csf 
   Set status disable 
end 

Do contact Fortinet customer support for any assistance in regards to this. 

Indicators of compromise 

Log Entries and operations performed by attackers: 

Fortinet has provided the following log entries as potential indicators of compromise: 

  • type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole" 
  • type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep" 

Note: Fortinet has advised that sn and cfgtid are not relevant to the attack. 

 
Additional operations performed by attackers include: 

  • Creating an admin account on the device with random user name (details below) 
  • Creating a Local user account on the device with random user name (details below) 
  • Creating a user group or adding the above Local user to an existing sslvpn user group 
  • Adding/changing other settings (firewall policy, firewall address, etc.) 
  • Logging in the sslvpn with the above added local users to get a tunnel to the internal network. 

 

Spoofed IP Addresses: 

The attacker has been observed spoofing the source and destination IP address in the jsconsole sessions, and these IP addresses are not typical for jsconsole activity. As these IP addresses are spoofed, please only hunt for these in the context of jsconsole sessions. 
1.1.1.1 
127.0.0.1 
2.2.2.2 
8.8.8.8 
8.8.4.4 

Please note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking. 

Please note as well that sn and cfgtid are not relevant to the attack. 

The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below: 
- Creating an admin account on the device with random user name 
- Creating a Local user account on the device with random user name 
- Creating a user group or adding the above local user to an existing sslvpn user group 
- Adding/changing other settings (firewall policy, firewall address, ...) 
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network. 

IP Addresses: 

The attacker has been seen using the following IP addresses: 

45.55.158.47 (most used IP Address) 
87.249.138.47 
155.133.4.175 
37.19.196.65 
149.22.94.37 

Attacker-generated Admin or Local user accounts: 

The attacker has been observed generating 6 character alpha-numeric Admin and Local user accounts. Some examples are: 
Gujhmk 
Ed8x4k 
G0xgey 
Pvnw8 

 

Threat Updates 

For more information and updates in regards to this vulnerability it is recommended to keep an eye on Fortinets official Product Security Incident Response Team page : https://fortiguard.fortinet.com/psirt/FG-IR-24-535  

Contact Us