CVE-2024-55591 Detection: Critical Zero-Day Vulnerability in Fortinet FortiOS and FortiProxy Actively Exploited in the Wild

This week, over 700 new vulnerabilities have been identified, continuing the trend of rising security risks for organizations worldwide. Among the most disturbing is CVE-2024-55591, an authentication bypass vulnerability affecting FortiOS and FortiProxy. This critical zero-day flaw exposes FortiGate firewall devices to potential compromise, allowing remote attackers to gain super-admin privileges on the affected systems. Fortinet has confirmed that the vulnerability is actively being exploited in the wild, requiring the immediate action.

Detect CVE-2024-55591 Exploitation Attempts

Proactive detection of vulnerability exploitation continues to be a top priority in cybersecurity due to the steady rise in the number of identified vulnerabilities. With the critical severity and widespread exploitation of CVE-2024-55591, security professionals require a reliable source of detection content to detect potential attacks on time. 

SOC Prime Platform for collective cyber defense addresses this need by providing the industry’s first CTI-enriched detection rule feed for both emerging and existing threats. Backed by a comprehensive product suite, the platform supports advanced threat detection, AI-powered detection engineering, and automated threat hunting.

Hit the Explore Detection button below and immediately access a curated set of Sigma rules addressing CVE-2024-55591 exploitation attempts. All the rules are mapped to the MITRE ATT&CK framework, enriched with extensive threat intel, and compatible with 30+ SIEM, EDR, and Data Lake solutions.

Explore Detections

To proceed with the investigation, cyber defenders can seamlessly hunt for IOCs provided in the Fortinet advisory. Rely on SOC Prime’s Uncoder AI to create custom IOC-based queries in a matter of seconds and automatically work with them in your chosen SIEM or EDR environment. Previously available only to corporate clients, Uncoder AI is now accessible to individual researchers, offering its full capabilities. Check out the details here.

CVE-2024-55591 Analysis

On January 14, 2025, Fortinet issued a security advisory regarding CVE-2024-55591, a critical authentication bypass vulnerability impacting FortiOS versions 7.0.0 to 7.0.16, FortiProxy versions 7.0.0 to 7.0.19, and FortiProxy versions 7.2.0 to 7.2.12. The flaw allows an unauthenticated, remote attacker to exploit the vulnerability by sending a crafted request to the Node.js websocket module. If successfully exploited, the attacker can gain super-admin privileges on the affected device. 

Fortinet has confirmed the in-the-wild exploitation of CVE-2024-55591, with research by Arctic Wolf uncovering a malicious campaign active since mid-November 2024 and leveraging the vulnerability in limelight to compromise FortiGate firewall devices with Internet-exposed management interfaces. According to the researchers, the campaign included unauthorized administrative access to firewall management interfaces, the creation of new user accounts, the use of those accounts for SSL VPN authentication, and multiple other modifications to device configurations helping threat actors to establish a path to the internal network. 

Fortinet’s advisory suggests users disable the HTTP/HTTPS administrative interface or restrict access to it by using local-in policies to limit which IP addresses can reach the interface. Additionally, users are urged to upgrade to the following safe versions, if possible: FortiOS 7.0.17 or higher (for FortiOS 7.0), FortiProxy 7.0.20 or higher (for FortiProxy 7.0), and FortiProxy 7.2.13 or higher (for FortiProxy 7.2).

SOC Prime Platform for collective cyber defense enables security teams to outscale cyber threats of any scale and sophistication, including CVEs in popular software products that most organizations rely on while helping them to risk-optimize the security posture.