The s*** hath hitteth the network fan again: Fresh from news of an Ivanti zero day being exploited (now CVE-2025-0282), perennial fellow our-software-is-made-of-swiss-cheese-and-nobody-cares culprit Fortinet also has a zero day under attack– it’s been allocated CVE-2024-55591.
The CVSS 9.8 authentication bypass vulnerability “may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module,” said Fortinet. Its advisor comes after Arctic Wolf said it had seen reconnaissance start against exposed firewall instances in November and lateral movement against victims through December.
What's affected?
- FortiOS 7.0 through 7.0.16
- FortiProxy 7.2 through 7.2.12
- FortiProxy 7.0 through 7.0.19.
Patches are now available from Fortinet. Attacks began in December. An earlier FortiOS and FortiProxy vulnerability was among the most-exploited of 2023 according to Five Eyes data from November 2024.
Fortinet said in a January 14 security advisory that attackers have been seen on compromised instances adding admin and local accounts with random names, amending firewall policies and logging in with “added local users to get a tunnel to the internal network…” It has published IOCs; mitigations include “disable HTTP/HTTPS administrative interface.”
Arctic Wolf noted of what it had seen of the attacks exploiting the Fortinet zero day that "What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses. Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board."
Fortinet zero day: plus ça change
The attacks come after Chinese hackers compromised over 20,000 Fortinet devices in 2022-2023, breaching multiple defense industry customers during the campaign. They exploited a novel bespoke malware dubbed COATHANGER that survives reboots and firmware upgrades.
In 2024, Fortinet also confirmed a zero day in its FortiManager firewall management software, later allocated CVE-2024-47575, was exploited in the wild by remote unauthenticated attackers, because, well; “a missing authentication for critical function vulnerability” has lots of nasty friends.
A zero day in BeyondTrust software that may have been used to help miscreants breach the US Treasury (the line thus far is that it was a leaked API key) is also being exploited in the wild, CISA confirmed; adding it to its “Known Exploited Catalog” today. That’s been allocated CVE-2024-12686.
A pre-auth RCE vulnerability in software from data analytics and integration firm Qlik allocated CVE-2023-48365 has also been exploited in the wild, CISA and Qlik confirmed, with January turning into a real humdinger for infosec teams. That was reported to Qlik by Praetorian.
