Skip to content
· 6 min read CRITICAL CVE-2024-55591 @Sdmrf

FortiGate Auth Bypass: We're Doing This Again

CVE-2024-55591 joins the long list of Fortinet vulnerabilities being mass-exploited. Notes from triaging this with clients.

#fortinet #cve #authentication-bypass #firewall
On this page

Got woken up at 6 AM today by a client whose MSSP flagged “suspicious admin activity” on their FortiGate. Turns out someone in Eastern Europe created a new admin account overnight.

CVE-2024-55591 claims another victim. Here we go again.

The Vulnerability

Authentication bypass in FortiOS. Affects the Node.js websocket module. An attacker can send crafted requests to the management interface and get admin access without credentials.

That’s it. No authentication required. Just network access to the management interface.

Affected versions:

  • FortiOS 7.0.0 through 7.0.16
  • FortiOS 7.2.0 through 7.2.12
  • FortiProxy 7.0.0 through 7.0.19
  • FortiProxy 7.2.0 through 7.2.12

CVSS: 9.8

Patches dropped January 14th. Active exploitation was already happening.

My Thursday Morning

Here’s how it went:

6:03 AM - Phone rings. Client’s MSSP says FortiGate shows new admin account “sysadmin01” created at 3:47 AM from an IP in Moldova.

6:15 AM - Confirm it’s real. Check the other admin accounts - all accounted for. Nobody authorized this.

6:20 AM - Check if management interface is exposed to internet. Yes. On port 443. Has been for “convenience” since they set it up.

6:25 AM - Delete the malicious account. Change all admin passwords. Start checking what else happened.

6:30 AM - Find the FortiGate is vulnerable (7.0.14). Nobody patched when the advisory dropped 10 days ago.

6:45 AM - Start reviewing what the attacker accessed. They poked around the config, looked at VPN settings, checked firewall rules. Then seemingly left.

7:15 AM - Realize they probably grabbed VPN user list and firewall config. These are now compromised.

8:00 AM - Emergency change window to patch the FortiGate.

8:30 AM - Start rotating VPN credentials for all users.

That was my morning. Client’s was worse.

The Fortinet Pattern

This is what, the fourth or fifth major Fortinet vuln in 18 months?

  • October 2022: CVE-2022-40684 (auth bypass, actively exploited)
  • June 2023: CVE-2023-27997 (RCE, actively exploited)
  • February 2024: CVE-2024-21762 (RCE, actively exploited)
  • January 2025: CVE-2024-55591 (auth bypass, actively exploited)

There’s a pattern here. High-severity vulnerabilities in internet-facing devices, dropping regularly, each one mass-exploited within days.

At some point you have to ask whether the product architecture itself is the problem.

Who’s Exploiting This

Based on what’s being reported:

  • Ransomware initial access brokers (getting footholds to sell)
  • Various APTs (nation-state reconnaissance)
  • Opportunistic scanners (hitting everything they can find)

The Moldovan IP from my client maps to infrastructure previously associated with initial access sales. So probably: compromise → harvest credentials → sell access → ransomware later.

Classic broker playbook.

What Attackers Do Post-Exploitation

From this incident and others I’ve heard about:

  1. Create admin accounts - Persistence
  2. Export config - Contains VPN users, firewall rules, internal network info
  3. Check VPN settings - Prepare for later VPN access
  4. Add their own VPN account - Alternative persistence
  5. Modify firewall rules - Open additional access paths
  6. Install backdoor - Some are deploying custom implants

Even if you catch it early, assume they grabbed everything they could see.

Immediate Actions

If you have FortiGate/FortiProxy:

1. Check Your Version

# Via CLI
get system status | grep Version

If you’re in the affected ranges and haven’t patched: stop reading and go patch.

2. Check for Compromise

Look for:

  • New admin accounts you didn’t create
  • Config changes you didn’t make
  • VPN accounts you don’t recognize
  • Firewall rules that shouldn’t exist
# Check admin accounts
show system admin

3. Restrict Management Access

The management interface should NOT be on the internet. Use:

  • Trusted IPs only (management network/VPN)
  • Different port than 443 (not security, but reduces noise)
  • Management VLAN with ACLs

4. Patch

Upgrade to:

  • FortiOS 7.0.17 or later
  • FortiOS 7.2.13 or later
  • FortiProxy 7.0.20 or later
  • FortiProxy 7.2.13 or later

5. If Compromised

  • Delete unauthorized accounts
  • Rotate ALL admin credentials
  • Rotate ALL VPN user credentials
  • Review firewall rules for unauthorized changes
  • Check for VPN config exports (assume compromised)
  • Consider full config rebuild from known-good

The Bigger Issue

Here’s what bugs me about these appliance vulnerabilities:

We put these devices at the network edge specifically to protect us. Then they become the entry point.

Every firewall/VPN appliance is:

  • Internet-facing by design
  • Handling authentication (high-value target)
  • Running complex code with limited visibility
  • Managed separately from endpoint security
  • Often running outdated firmware

It’s the worst combination of exposed + valuable + opaque.

And every major vendor has had critical vulns in the past few years. Fortinet. Palo Alto. Cisco. Ivanti. SonicWall. Nobody’s immune.

Alternatives?

There’s growing interest in moving away from traditional perimeter devices:

  • ZTNA/SASE - No exposed management interfaces, vendor handles patching
  • WireGuard-based VPN - Simpler codebase, smaller attack surface
  • Zero Trust architectures - Reduce reliance on perimeter entirely

These have their own problems, but at least they don’t give you a “patch your firewall urgently” fire drill every few months.

My Client’s Takeaway

After we cleaned up, we had the usual post-incident discussion. Their action items:

  1. Move FortiGate management to internal-only (should’ve been this way from the start)
  2. Implement weekly firmware check process
  3. Add detection for admin account creation
  4. Consider managed firewall service (they don’t have resources to keep up)

That last point is increasingly common. Small IT teams can’t keep pace with the vulnerability treadmill. Outsourcing the problem to someone who can focus on it makes sense.

For Everyone Else

  • Assume your edge devices will have critical vulns disclosed regularly
  • Plan your patching process accordingly
  • Don’t expose management interfaces to the internet
  • Monitor for signs of compromise, not just vulnerabilities
  • Have an incident response plan for “firewall got owned”

This won’t be the last Fortinet CVE. Or the last edge device CVE. Plan for the pattern, not just individual instances.

Your firewall is supposed to protect you from the internet. When it can’t protect itself from the internet, that’s a problem.

Related Articles

critical·5 min read

The Citrix NetScaler Situation Just Got Worse

Mass exploitation of CVE-2024-8534 is ongoing. Notes from helping clients figure out if they're compromised.

critical·6 min read

HPE OneView's CVSS 10.0: An Unauthenticated API Endpoint That Runs Commands

CVE-2025-37164 is a maximum-severity RCE in HPE OneView. An unauthenticated REST API endpoint executes arbitrary commands. 40,000+ exploit attempts on day one.

high·5 min read

Microsoft Office Zero-Day Gets Emergency Patch - CVE-2026-21509

Microsoft drops out-of-band patch for actively exploited Office vulnerability that bypasses OLE security controls. Here's what you need to know.