Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces

On January 14, 2025, Fortinet publicly disclosed a critical zero-day vulnerability, CVE-2024-55591, affecting its FortiOS and FortiProxy products. This vulnerability allows unauthenticated remote attackers to gain super-admin access to affected systems by exploiting a flaw in the WebSocket interface of the web management portal. The issue is particularly dangerous for firewalls with exposed management interfaces accessible over the Internet.
The vulnerability affects FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19, as well as 7.2.0 to 7.2.12. Security researchers from Arctic Wolf Labs reported that this vulnerability has been actively exploited in the wild since November 2024. Attackers have been scanning the internet for publicly accessible Fortinet firewalls and then using the vulnerability to gain administrative control, create backdoor user accounts, alter configurations, and establish persistent access through SSL VPN tunnels.
Further investigation revealed that attackers also leveraged tools like DCSync to steal credentials, indicating the potential for lateral movement within compromised networks.