New CVE-2024-5591 Zero-Day Exploitation of Fortinet Firewalls 

A red background with a white bug icon symbolizes a critical vulnerability. The text reads: Critical Vulnerability Impacting FortiOS and FortiProxy Systems (CVE-2024-55591) with Upwind logo in the top-right corner.
Eliad Mualem, Upwind

By Eliad Mualem

Jan 14, 2025

On January 14, 2025, Fortinet announced a critical vulnerability impacting its FortiOS and FortiProxy systems, CVE-2024-55591 is an authentication  bypass zero-day vulnerability that has been actively exploited since mid-November 2024, enabling attackers to hijack Fortinet firewalls and compromise enterprise networks. Successful exploitation grants remote attackers super-admin privileges via malicious requests to the Node.js websocket module.

Discovery and Response 

Fortinet and cybersecurity firm Arctic Wolf jointly identified this campaign, which involves unauthorized administrative access, creation of rogue accounts, and configuration changes. Exploited devices have exhibited activity such as new admin and local users added to VPN groups, changes to firewall policies, and SSL VPN tunneling through rogue accounts.

Fortinet has issued mitigation guidance, including disabling the HTTP/HTTPS administrative interface or restricting access to trusted IPs via local-in policies. Arctic Wolf highlighted that the attacks involved a rapid sequence of phases, starting with vulnerability scanning in November 2024 and culminating in lateral movement by late December 2024. 

CVE-2024-55591 Impact 

Exploitation of this zero-day vulnerability involves remote authentication bypass, enabling  attackers to escalate privileges to super-admin. Compromised devices have been used for  account creation, policy manipulation, and VPN tunneling, with significant risk of  lateral movement across networks.

Fortinet and Arctic Wolf identified the following dates for the attack phases:

  • Vulnerability Scanning: November 16–23, 2024  
  • Reconnaissance: November 22–27, 2024  
  • SSL VPN Configuration: December 4–7, 2024  
  • Lateral Movement: December 16–27, 2024  

Affected Versions 

FortiOS  

  • Versions 7.0.0 through 7.0.16  
  • Versions 7.2.0 through 7.2.12  

Recommended fix: 

  • Upgrade to 7.0.17 or above 

FortiProxy  

  • Versions 7.0.0 through 7.0.19  
  • Versions 7.2.0 through 7.2.12 

Recommended fix:

  • Upgrade to 7.2.13 or above

Recommended Actions  

Fortinet advises organizations to:  

  1. Disable HTTP/HTTPS administrative access or restrict access to trusted  IPs using local-in policies.
  2. Monitor logs for unauthorized logins, rogue account creation and unexpected policy changes.  
  3. Ensure firewall management interfaces are not exposed to the Internet.  
  4. Upgrade FortiOS to 7.0.17 or above and FortiProxy to 7.2.13 or above to mitigate CVE-2024-55591.  

Organizations should prioritize securing FortiGate firewalls and related devices to prevent further exploitation of this vulnerability.  For additional information or assistance with mitigation efforts, contact us at [email protected].

New CVE-2024-5591 Zero-Day Exploitation of Fortinet Firewalls 

Further Reading

Abstract pink and red circular design with a small shield icon containing a white virus symbol at the center. The image has a modern, minimalist style, accompanied by the text upwind in the top left corner.
Research

Introducing New Runtime Security Features for Modern Containerized Environments

Eliad Mualem, Upwind

By Eliad Mualem

Jan 14, 2025

At Upwind Security, we continuously enhance our security capabilities to address emerging threats and provide unparalleled runtime protection for containerized environments. In this update, we are excited to introduce new detection and prevention policies designed to secure workloads against sophisticated attacks.  Next-Generation Threat Detections Over the past several weeks we have added additional detection policies […]

A warning icon in a triangular shape is centered against a pink background. Text below reads: Zero-Day Exploitation of Ivanti Connect Secure VPN Devices (CVE-2025-0282 & CVE-2025-0283). The Upwind logo is in the top right corner.
Research

New Zero-Day Exploitation of Ivanti Connect Secure VPN Devices with CVE-2025-0282 and CVE-2025-0283

Jan 09, 2025

On January 8, 2025, Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024. This vulnerability, an unauthenticated stack-based buffer overflow, allows remote code execution without authentication, posing a serious risk of further network compromise. Discovery and Response […]

An illustration with a pink background featuring a white bug icon. Text reads: Apache Tomcat Vulnerability (CVE-2024-56337) Exposes Servers to RCE. The Upwind logo is in the top right corner.
Research

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE

Moshe Hassan Upwind

By Moshe Hassan

Dec 24, 2024

Overview Apache has released a security update to address an important Apache Tomcat vulnerability (CVE-2024-56337) that could result in remote code execution (RCE) under certain conditions. This new CVE is closely tied to the earlier Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation (CVE-2024-50379), for which an incomplete mitigation was issued on December 17, […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security