Cybersecurity company watchTowr Labs has released the proof-of-concept (PoC) exploit code for a severe zero-day vulnerability, CVE-2024-55591, affecting Fortinet’s FortiOS and FortiProxy products. This vulnerability, with a CVSS score of 9.8, has already been exploited in active attacks to compromise enterprise networks and hijack firewalls.
Key Details of CVE-2024-55591
Vulnerability Description
CVE-2024-55591 exists in the jsconsole functionality of FortiOS and FortiProxy products, affecting versions 7.0.0 through 7.0.16 and 7.2.0 through 7.2.12. The vulnerability allows attackers to create rogue administrative accounts, modify firewall policies, and establish VPN connections to internal networks.
Exploitation Details
The exploit leverages a pre-authenticated WebSocket connection, a local_access_token parameter to bypass session checks, and a race condition in the WebSocket message handling process. These issues combined allow attackers to authenticate to the CLI process through Telnet and gain elevated privileges.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, modification of firewall rules, and potential lateral movement within the network. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch their systems by January 21, 2025.
Mitigation Measures
Organizations are strongly advised to:
- Apply Patches: Update FortiOS and FortiProxy to the latest versions that address this vulnerability.
- Monitor Networks: Implement robust network monitoring to detect unusual activities and potential exploitation attempts.
- Restrict Access: Enforce strict access controls and the principle of least privilege to minimize the attack surface.
Proof-of-Concept Code
The PoC code for CVE-2024-55591 has been released on GitHub by watchTowr Labs. You can find the code and detailed instructions on how to use it here.
