Over 50,000 Fortinet Devices at Risk

Today, as the world of technology continues to evolve rapidly, the importance of network security has become equally critical. However, even the most reliable security systems can sometimes encounter unexpected vulnerabilities. As of January 22, 2025, approximately 50,000 Fortinet firewall devices remain at significant risk, putting their network security in jeopardy. This concerns a newly identified vulnerability known as CVE-2024-55591.

This vulnerability has been actively exploited since November 2024. By exploiting it, attackers can gain unauthorized access to the system without any authentication and obtain super-admin privileges. This allows them to perform the following actions:

• Execute unauthorized commands.
• Create fake administrator accounts.
• Modify firewall policies.
• Configure VPN tunnels for internal network attacks.

The technical root of this vulnerability lies in the improper functioning of the Node.js WebSocket module within Fortinet’s FortiOS and FortiProxy products. This issue has been classified as highly critical, with a CVSSv3 score of 9.6.

The following software versions are affected by this vulnerability:

• FortiOS: Versions 7.0.0 through 7.0.16.
• FortiProxy: Versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.

Updated versions — FortiOS 7.0.17 and later, and FortiProxy 7.2.13 and later — were released on January 14, 2025. However, many organizations have yet to take action to install these updates.

Cybersecurity experts have observed the following stages of exploitation:

• Vulnerability scanning: November 16–23, 2024.
• Network reconnaissance: November 22–27, 2024.
• SSL VPN configuration: December 4–7, 2024.
• Lateral movement within the network: December 16–27, 2024.

These attacks have primarily been carried out via open management interfaces of Fortinet firewall devices. Attackers gained unauthorized access to administrator accounts and continued malicious activities within the network.

According to Shadowserver Foundation, as of January 21, 2025, over 50,000 devices remain unpatched. The most affected regions include:

• Asia: 20,687 devices.
• North America: 12,866 devices.
• Europe: 7,401 devices.

These numbers highlight the slow response of organizations in addressing security risks.

Recommendations and Precautions

Fortinet strongly advises users to install updates immediately or take alternative protective measures. The following actions are recommended:

1. Update software: Upgrade to FortiOS version 7.0.17 or later and FortiProxy version 7.2.13 or later.
2. Restrict access: Disable HTTP/HTTPS management interfaces or limit access to them only from trusted IP addresses.
3. Monitor networks: Look for indicators of compromise (IoCs), such as unauthorized account creation or changes to firewall configurations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-55591 to its Known Exploited Vulnerabilities (KEV) catalog and required federal agencies to address the issue by January 21, 2025.

Despite the availability of updates, many organizations have not taken sufficient action to mitigate this vulnerability. Experts warn that delays could lead to further compromises, including ransomware attacks.

Users of Fortinet products are urged to take this high-severity vulnerability seriously. Update your systems, strengthen your network security, and promptly implement measures to reduce the risks associated with this vulnerability. After all, network security is a matter that must always remain a top priority.