Fortinet Zero Day Exposes Networks Via Management Interface

A critical zero-day vulnerability (CVE-2024-55591) in Fortinet FortiOS and FortiProxy has been actively exploited to compromise firewalls with exposed management interfaces. The flaw enables attackers to gain super-admin privileges through crafted requests to Node.js websocket module with a CVSS score of 9.6.## Whom it may concern* Network security administrators* SOC teams* Security architects* Fortinet customers running affected versions## Key Findings1. Attackers gained unauthorized admin access to create new accounts and modify configurations2. Affected versions include FortiOS 7.0.0-7.0.16 and FortiProxy 7.0.0-7.0.193. Campaign detected and analyzed by Arctic Wolf in mid-November 20244. Attacks progressed through four distinct phases including reconnaissance and lateral movement## Risk Analysis* Probability: High - Active exploitation observed* Impact: Critical - Full administrative control possible* Affected Systems: Multiple - Diverse organizations targeted* Attack Vector: Network - Exposed management interfaces* No sector-specific targeting indicating opportunistic attacks## Action Items* Immediately upgrade to FortiOS 7.0.17 or higher* Remove management interface exposure from public internet* Implement strict access controls for administrative interfaces* Monitor for unauthorized administrative actions* Review and audit