Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerability in FortiOS and FortiProxy

16 January 2025

Fortinet has released security updates addressing a critical authentication bypass vulnerability (CVE-2024-55591) affecting their FortiOS and FortiProxy products. There are reports that the vulnerability is being exploited in the wild.

Successful exploitation of this vulnerability could allow an attacker to gain super-admin privileges by sending crafted requests to a Node.js WebSocket module.

Indicators of Compromise (IOCs)

Fortinet has provided the following log entries and IP addresses as potential IOCs. Administrators are recommended to monitor system logs for IOCs, such as unauthorised administrative accounts, unrecognised configuration changes, or suspicious SSL VPN connections. 

Log Entries:

  • type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

  • type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Note: Fortinet has advised that sn and cfgtid are not relevant to the attack.

IP Addresses:

  • 45.55.158.47 (most common)

  • 87.249.138.47

  • 155.133.4.175

  • 37.19.196.65

  • 149.22.94.37

The vulnerability affects the following products:

  • FortiOS versions 7.0.0 through 7.0.16

  • FortiProxy versions 7.0.0 through 7.0.19  

  • FortiProxy versions 7.2.0 through 7.2.12

Users and administrators of affected product versions are advised to update to the latest versions immediately.

Additionally, users are recommended to implement the following mitigations if immediate upgrading is not feasible:

  1. Disable HTTP/HTTPS Administrative Interface to reduce exposure.

  2. Restrict access via local-in policies by limiting administrative access to trusted IPs.

More information is available here:

https://www.fortiguard.com/psirt/FG-IR-24-535

https://www.tenable.com/blog/cve-2024-55591-fortinet-authentication-bypass-zero-day-vulnerability-exploited-in-the-wild

https://nvd.nist.gov/vuln/detail/CVE-2024-55591


Back to top