Fortinet has disclosed a critical authentication bypass vulnerability (CVE-2024-55591) affecting FortiOS and FortiProxy products that allow remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. The vulnerability is currently being exploited in the wild.
According to Arctic Wolf Labs, which first reported the issue to Fortinet on December 12, 2024, attackers have been targeting organizations since mid-November in a campaign dubbed "Console Chaos."
"The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes," Arctic Wolf Labs said.
"While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organizations should urgently disable firewall management access on public interfaces as soon as possible."
The attack campaign has progressed through four distinct phases: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement.
The vulnerability impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Organizations running affected versions are urged to upgrade to FortiOS 7.0.17 or FortiProxy 7.0.20/7.2.13 respectively.
Threat actors exploiting this vulnerability have been observed creating rogue admin accounts with random usernames, modifying SSL VPN configurations, and using compromised systems to establish VPN tunnels for accessing internal networks. The attackers have utilized various IP addresses, including public DNS resolvers and loopback addresses, to mask their activities.
As a workaround, Fortinet recommends either disabling HTTP/HTTPS administrative interfaces or implementing strict IP-based access controls through local-in policies.
Arctic Wolf emphasizes that management interfaces should never be exposed to the public internet.
Today, Fortiguard Labs has disclosed another critical vulnerability (CVE-2023-37936) involving a hard-coded cryptographic key in FortiSwitch that could allow unauthorized code execution by remote attackers.
Organizations can identify potential compromise by monitoring for suspicious jsconsole login activities, particularly those originating from unusual IP addresses. Key indicators include admin logins from public DNS resolver IPs (like 8.8.8.8 or 1.1.1.1) and the creation of new admin accounts with randomly generated usernames through the jsconsole interface.