Fortinet on Tuesday published over a dozen new advisories describing critical- and high-severity vulnerabilities found recently in the company’s products, including a zero-day flaw that has been exploited in the wild since at least November 2024.
The zero-day is tracked as CVE-2024-55591 and it has been described by Fortinet as a critical vulnerability affecting FortiOS and FortiProxy that can be exploited by a remote attacker to gain super-admin privileges using specially crafted requests to the Node.js websocket module.
According to Fortinet, CVE-2024-55591 affects FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19. Patches are included in FortiOS 7.0.17, FortiProxy 7.2.13 and FortiProxy 7.0.20.
Fortinet has confirmed in-the-wild exploitation and its advisory includes indicators of compromise (IoCs) to help defenders detect attacks.
News of a potential zero-day broke last week when cybersecurity firm Arctic Wolf warned that it had observed a campaign targeting Fortinet FortiGate firewalls that had their management interface exposed on the internet.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” Arctic Wolf said, adding, “While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable.”
While Fortinet’s advisory does not mention Arctic Wolf, IoCs shared by both companies indicate that CVE-2024-55591 is the zero-day seen by Arctic Wolf in attacks. Arctic Wolf notified Fortinet about the attacks in mid-December, when the latter said it had been aware and investigating the activity.
Arctic Wolf tracked the campaign in November and December 2024, first seeing vulnerability scanning, followed by reconnaissance, establishing SSL VPN access, and lateral movement on compromised systems.
Arctic Wolf reported seeing opportunistic exploitation against a handful of organizations, but the attackers’ objectives remain unknown.
Another critical vulnerability addressed by Fortinet on Tuesday is CVE-2023-37936, a hardcoded cryptographic key issue in FortiSwitch that could allow a remote, unauthenticated attacker to execute code using malicious cryptographic requests.
Thirteen advisories published on January 14 address high-severity vulnerabilities affecting products such as FortiManager, FortiAnalyzer, FortiClient, FortiOS, FortiRecorder, FortiProxy, FortiSASE, FortiVoice, FortiWeb, and FortiSwitch.
The security holes can be exploited for account persistence after deletion, arbitrary file writing, authenticated code and command execution, brute force attacks, extracting configuration data without authentication, and causing a DoS condition.
Fortinet has not flagged any of these vulnerabilities as being exploited, but pointed out that one of them was disclosed by WatchTowr.
It’s not uncommon for threat actors to target Fortinet product vulnerabilities in their attacks so it’s important that organizations do not neglect the patching or mitigation of the latest round of security holes.
Related: Organizations Warned of Exploited Fortinet FortiOS Vulnerability
Related: Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks
Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day
