50,000 Fortinet Firewalls Remain Vulnerable to Critical Zero-Day Exploit
As of January 22, 2025, nearly 50,000 Fortinet firewall devices remain exposed to a critical zero-day vulnerability (CVE-2024-55591) despite urgent warnings and available patches. The flaw, which has been actively exploited since November 2024, allows attackers to bypass authentication and gain super-admin privileges on affected systems. CVE-2024-55591 is an authentication bypass vulnerability in Fortinet’s FortiOS […] The post 50,000 Fortinet Firewalls Remain Vulnerable to Critical Zero-Day Exploit appeared first on Cyber Security News.
As of January 22, 2025, nearly 50,000 Fortinet firewall devices remain exposed to a critical zero-day vulnerability (CVE-2024-55591) despite urgent warnings and available patches.
The flaw, which has been actively exploited since November 2024, allows attackers to bypass authentication and gain super-admin privileges on affected systems.
CVE-2024-55591 is an authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products.
Exploitation involves sending crafted requests to the Node.js WebSocket module, enabling attackers to execute unauthorized commands, create rogue admin accounts, modify firewall policies, and establish VPN tunnels for lateral movement within networks.
The vulnerability has a CVSSv3 score of 9.6, underscoring its severity.
The flaw affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Fixed versions—FortiOS 7.0.17 or higher and FortiProxy 7.2.13 or higher—were released on January 14, 2025.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Cybersecurity researchers have tracked exploitation campaigns leveraging this vulnerability since mid-November 2024. Attackers reportedly conducted phased operations:
- Vulnerability Scanning: November 16–23, 2024
- Reconnaissance: November 22–27, 2024
- SSL VPN Configuration: December 4–7, 2024
- Lateral Movement: December 16–27, 2024
These campaigns targeted publicly exposed management interfaces of Fortinet firewalls, enabling unauthorized administrative logins and subsequent network infiltration.
Data from the Shadowserver Foundation reveals that over 50,000 devices remain unpatched as of January 21, with significant concentrations in Asia (20,687), North America (12,866), and Europe (7,401). This widespread exposure highlights the slow adoption of critical patches by organizations.
Mitigation and Recommendations
Fortinet has advised users to immediately apply the available patches or implement workarounds if updates cannot be deployed promptly. Recommended actions include:
- Upgrade Firmware: Update to FortiOS version 7.0.17 or later and FortiProxy versions 7.2.13 or later.
- Restrict Access: Disable HTTP/HTTPS administrative interfaces or limit access to trusted IP addresses using local-in policies.
- Monitor Networks: Review indicators of compromise (IoCs), such as unauthorized account creation or changes to firewall configurations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-55591 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch affected systems by January 21.
Despite the availability of fixes and clear evidence of active exploitation in the wild, many organizations have yet to address this critical vulnerability. Experts warn that delayed action could lead to further compromises, including potential ransomware attacks.
Organizations relying on Fortinet products are urged to prioritize patching efforts and strengthen their cybersecurity posture immediately to mitigate risks associated with this high-severity flaw.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
The post 50,000 Fortinet Firewalls Remain Vulnerable to Critical Zero-Day Exploit appeared first on Cyber Security News.
What's Your Reaction?
/cdn.vox-cdn.com/uploads/chorus_asset/file/25832181/1448234057.jpg)
