Overview

Fortinet, a global leader in cybersecurity solutions, recently released a critical advisory addressing a significant vulnerability (CVE-2024-55591) in its FortiOS and FortiProxy products. This flaw, which has a CVSSv3 score of 9.6, is categorized as a critical authentication bypass vulnerability and is currently being exploited in the wild.

Attackers leveraging this vulnerability can potentially gain super-admin privileges by exploiting weaknesses in the Node.js WebSocket module, making this a high-stakes issue for organizations relying on Fortinet’s products.

This blog provides a detailed overview of the vulnerability, affected versions, Indicators of Compromise (IOCs), mitigation strategies, and steps for administrators to protect their systems effectively.

The Vulnerability Explained

The CVE-2024-55591 vulnerability stems from an “Authentication Bypass Using an Alternate Path or Channel” issue (CWE-288). An attacker can craft malicious requests to the Node.js WebSocket module, bypass authentication, and gain unauthorized super-admin access. Once exploited, the attacker can perform a wide range of malicious activities, including:

• Creating administrative or local user accounts.
• Modifying firewall policies, addresses, or system settings.
• Establishing Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels to access internal networks.

Affected Products and Versions

The vulnerability impacts the following versions of FortiOS and FortiProxy products:

FortiOS

• Versions 7.0.0 through 7.0.16 are affected.
• Versions 7.6, 7.4, and 6.4 are not affected.

FortiProxy

• Versions 7.0.0 through 7.0.19.
• Versions 7.2.0 through 7.2.12.
• Versions 7.6 and 7.4 are not affected.

Solution:

• Upgrade FortiOS to version 7.0.17 or later.
• Upgrade FortiProxy to versions 7.0.20 or 7.2.13 or later.

How Attackers Exploit the Vulnerability

Attackers exploit this vulnerability by sending malicious WebSocket requests to bypass authentication controls. They can target administrative accounts by guessing or brute-forcing usernames. Once access is gained, they perform the following malicious actions:

• Create random user accounts such as “Gujhmk” or “M4ix9f”.
• Add these accounts to administrative or VPN groups.
• Use SSL VPN connections to infiltrate the internal network.

Indicators of Compromise (IOCs)

Fortinet has shared some key IOCs that organizations should monitor to identify potential attacks.

Log Entries

Look for the following types of suspicious log entries in your system:

1. Successful Admin Logins:

type=”event” subtype=”system” level=”information” logdesc=”Admin login successful”

user=”admin” ui=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” 

msg=”Administrator admin logged in successfully from jsconsole”

• Unauthorized Configuration Changes:

type=”event” subtype=”system” level=”information” logdesc=”Object attribute configured”

user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add”

msg=”Add system.admin vOcep”

Suspicious IP Addresses

Attackers have been observed using the following IP addresses to launch attacks:

• 45.55.158.47 (most commonly used)
• 87.249.138.47
• 155.133.4.175
• 37.19.196.65
• 149.22.94.37

It’s important to note that these IP addresses are not fixed sources of attack traffic; they are often spoofed and may not represent the actual origin.

Recommended Actions

1. Update Immediately

If your organization is using affected versions of FortiOS or FortiProxy, the most effective solution is to upgrade to the latest secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site.

2. Mitigations for Immediate Protection

If an upgrade cannot be performed immediately, consider implementing the following mitigations:

• Disable HTTP/HTTPS Administrative Interfaces: This reduces the exposure of management interfaces to the internet.
• Restrict Access with Local-In Policies:
  Limit access to the administrative interface by allowing only trusted Ips
• Use Non-Standard Admin Usernames: To make brute-force attacks more difficult, avoid predictable or default usernames for administrative accounts.

Exploitation in the Wild

Reports indicate active exploitation of this vulnerability. Threat actors have been observed creating random administrative or local user accounts, such as:

• Gujhmk
• Ed8x4k
• Alg7c4

These accounts are often added to SSL VPN user groups to establish tunnels into internal networks, making it critical to monitor for unauthorized account creation.

Best Practices for Enhanced Security

1. Enable Logging and Monitoring:
   Continuously monitor system logs for any unauthorized administrative activity, suspicious configuration changes, or unexpected VPN connections.
2. Conduct Regular Vulnerability Scans:
   Perform routine scans to identify and patch other vulnerabilities within your network infrastructure.
3. Adopt a Zero Trust Approach:
   Limit user privileges to the minimum required and enforce strict access controls, especially for administrative tasks.
4. Educate Your Team:
   Ensure that your IT and security teams are aware of this vulnerability and trained to respond to potential threats.
5. Implement Multi-Factor Authentication (MFA):
   Although this vulnerability bypasses traditional authentication, MFA adds an additional layer of security that can mitigate other attack vectors.

Conclusion

The CVE-2024-55591 vulnerability emphasizes the critical need for organizations to stay ahead of emerging threats. With attackers actively exploiting this flaw to gain super-admin access, the risks to your infrastructure and data cannot be overstated. Organizations using FortiOS and FortiProxy must act immediately. Patching systems and implementing mitigations isn’t optional; it’s imperative.

It’s not just about reacting to vulnerabilities—it’s about adopting a proactive and layered approach to cybersecurity. Leveraging tools like multi-factor authentication, real-time log monitoring, and Zero-Trust architectures can significantly reduce the risk of exploitation.

The broader lesson here is clear: vulnerabilities are inevitable, but breaches don’t have to be. By staying informed, investing in advanced threat detection systems, and fostering a security-first mindset within your organization, you can not only address immediate threats but also build resilience against future ones.

As cyber threats grow more advanced, are you prepared to meet them head-on? Strengthening your defenses today will determine your security tomorrow.

Let this be a reminder to continuously innovate and adapt in the face of an ever-changing threat landscape.

Your next step could define the safety of your organization.

Source:

• https://www.csa.gov.sg/alerts-advisories/alerts/2025/al-2025-004
• https://www.fortiguard.com/psirt/FG-IR-24-535
• https://nvd.nist.gov/vuln/detail/CVE-2024-55591

The post Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access Risk appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble honeypots have detected vulnerability exploits on Check Point and Ivanti products, databases, CMS systems, and many other IT products.

Overview

Cyble honeypot sensors have detected new attacks on vulnerabilities in Check Point and Ivanti products, among dozens of other vulnerability exploits recently picked up by Cyble sensors.

Cyble’s sensor intelligence reports to clients in the first two weeks of 2025 also highlighted new database and CMS attacks. Unpatched Linux systems and network and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.

The reports also examined new brute-force attacks and phishing campaigns. Here are some of the highlights.

Vulnerabilities Under Attack

Here are some of the vulnerability exploits detected by Cyble sensors.

CVE-2024-24919 is an 8.6-severity vulnerability affecting Check Point CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, identified by Check Point being actively exploited. If successfully exploited, the vulnerability could allow an attacker to access sensitive information on Internet-connected Gateways that have a remote access VPN or mobile access enabled, and potentially move laterally and gain domain admin privileges.

Ivanti had a challenging 2024, with 11 vulnerabilities added to CISA’s Known Exploited Vulnerabilities catalog, trailing only Microsoft, and new vulnerabilities have already been added this year. One particular Ivanti vulnerability that Cyble is detecting attacks on is CVE-2024-7593, a 9.8-severity Ivanti Virtual Traffic Manager (vTM) vulnerability that enables a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm.

Attackers are exploiting CVE-2024-8503, a time-based SQL injection vulnerability in VICIDIAL that could allow an unauthenticated attacker to enumerate database records. By default, VICIDIAL stores plaintext credentials within the database. VICIDIAL is a software suite that works with the Asterisk Open-Source PBX Phone system to create an inbound/outbound contact center.

CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG gateways, specifically MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.

CVE-2024-56145 is a critical vulnerability in Craft CMS systems. If the register_argc_argv setting in php.ini is enabled, this issue affects users of impacted versions, allowing an unspecified remote code execution vector. Users are advised to update to versions 3.9.14, 4.13.2, or 5.5.2. Those unable to upgrade should mitigate the risk by disabling register_argc_argv in their PHP configuration.

Cyble sensors have also identified attackers scanning for the URL “/+CSCOE+/logon.html”, which is used to access the login page for the Cisco Adaptive Security Appliance (ASA) WebVPN service. The URL has been found to have various vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting, which could allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.

Brute-Force Attacks

The Cyble sensor reports also include considerable detail on brute-force attacks. These attacks frequently target remote desktops and access systems, with ports 5900 (VNC), 3389 (RDP), and 22 (SSH) being the most frequently attacked ports.

Other frequently attacked ports include 3386 (GPRS tunneling), 445 (SMB), and 23 (Telnet).

Cyble advises adding security system blocks for frequently attacked ports.

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
• Constantly check for Attackers’ ASNs and IPs.
• Block Brute Force attack IPs and the targeted ports listed.
• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.

Conclusion

With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.

To access the full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.

The post Cyble Sensors Detect Attacks on Check Point, Ivanti and More appeared first on Cyble.

Blog – Cyble – ​Read More