Dev.to

Fortinet Under Fire: New Auth Bypass Bug Actively Exploited (CVE-2024-55591)

> About Author Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe. On January 14, 2025, Fortinet confirmed a critical authentication bypass vulnerability affecting its widely-used security products: FortiOS and FortiProxy. Tracked as CVE-2024-55591, the flaw allows unauthenticated remote attackers to gain administrative control over FortiGate firewalls and proxy devices — without needing valid credentials. The vulnerability has already been exploited in the wild, making it essential to patch immediately if you're using an affected version. What’s Affected? According to Fortinet’s advisory, the following versions are vulnerable: Affected Versions FortiGate (FortiOS): 7.0.0 – 7.0.16 FortiProxy: 7.2.0 – 7.2.12 7.0.0 – 7.0.19 Patched Versions FortiOS: 7.0.17 and above FortiProxy: 7.2.13 / 7.0.20 and above Upgrade to these versions ASAP to eliminate the risk. Vulnerability Overview This flaw stems from improper validation in the authentication logic of FortiOS and FortiProxy. By crafting specific requests to the management interface (HTTPS or CLI Web Console), attackers can completely bypass authentication, gaining super admin privileges remotely. Once inside, attackers can: Create or reset admin accounts Modify firewall policies Configure SSL VPN for lateral movement Steal sensitive configurations Disable protections or plant backdoors This is a pre-auth remote vulnerability, meaning no login or prior access is required — default setups are vulnerable. Recommended Actions 1. Block Public Access to Management Interfaces Immediately restrict HTTPS, SSH, and CLI access to trusted internal networks only. Use firewalls or ACLs to allow specific IPs. 2. Monitor Logs for Suspicious Logins Look for unusual login activity from IPs like 127.0.0.1 or 8.8.8.8, especially using the jsconsole UI or strange admin usernames. 3. Check for Backdoors or Tampering Export current device configurations and verify them for unauthorized changes or files. If compromise is suspected, involve Fortinet support or a trusted security team. 4. Reset All Admin and VPN Credentials If compromise is likely, rotate all administrator and VPN passwords, revoke old certificates, and refresh API keys. Patch and Recovery Apply Official Fixes Fortinet has released patches for all affected versions. Update immediately via FortiManager, or refer to:

Jun 24, 2025 - 08:20
 0
Fortinet Under Fire: New Auth Bypass Bug Actively Exploited (CVE-2024-55591)

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

On January 14, 2025, Fortinet confirmed a critical authentication bypass vulnerability affecting its widely-used security products: FortiOS and FortiProxy. Tracked as CVE-2024-55591, the flaw allows unauthenticated remote attackers to gain administrative control over FortiGate firewalls and proxy devices — without needing valid credentials.

The vulnerability has already been exploited in the wild, making it essential to patch immediately if you're using an affected version.

What’s Affected?

According to Fortinet’s advisory, the following versions are vulnerable:

Affected Versions

  • FortiGate (FortiOS): 7.0.0 – 7.0.16
  • FortiProxy:
    • 7.2.0 – 7.2.12
    • 7.0.0 – 7.0.19

Patched Versions

  • FortiOS: 7.0.17 and above
  • FortiProxy: 7.2.13 / 7.0.20 and above

Upgrade to these versions ASAP to eliminate the risk.

Vulnerability Overview

This flaw stems from improper validation in the authentication logic of FortiOS and FortiProxy. By crafting specific requests to the management interface (HTTPS or CLI Web Console), attackers can completely bypass authentication, gaining super admin privileges remotely.

Once inside, attackers can:

  • Create or reset admin accounts
  • Modify firewall policies
  • Configure SSL VPN for lateral movement
  • Steal sensitive configurations
  • Disable protections or plant backdoors

This is a pre-auth remote vulnerability, meaning no login or prior access is required — default setups are vulnerable.

Recommended Actions

1. Block Public Access to Management Interfaces

Immediately restrict HTTPS, SSH, and CLI access to trusted internal networks only. Use firewalls or ACLs to allow specific IPs.

2. Monitor Logs for Suspicious Logins

Look for unusual login activity from IPs like 127.0.0.1 or 8.8.8.8, especially using the jsconsole UI or strange admin usernames.

3. Check for Backdoors or Tampering

Export current device configurations and verify them for unauthorized changes or files. If compromise is suspected, involve Fortinet support or a trusted security team.

4. Reset All Admin and VPN Credentials

If compromise is likely, rotate all administrator and VPN passwords, revoke old certificates, and refresh API keys.

Patch and Recovery

Apply Official Fixes

Fortinet has released patches for all affected versions. Update immediately via FortiManager, or refer to:

Read More

Tags:

Previous Article

NodeJS Fundamentals: fork

Next Article

Go Coding with Asparagos: Can oranges sow the seeds of discord in linear time?

Related Posts

Should we start a podcast interviewing our ex-music-school-classmates?

Should we start a podcast interviewing our ex-music-sch...

May 12, 2025  0

Setting up ESLint in my Next.js + TypeScript project to keep code clean, consistent, and bug-free—a must for writing like a pro!

Setting up ESLint in my Next.js + TypeScript project to...

May 13, 2025  0

My Experience at Commit Conf 2025

My Experience at Commit Conf 2025

Jun 4, 2025  0