Cyber and Data Resilience

Fri, Jan 17, 2025

Fortinet Discloses Active Exploitation of Critical Zero-Day Vulnerability: CVE-2024-55591

/en/our-team/george-glassGeorge Glass

George Glass

Note: These vulnerabilities remain under active exploitation and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

A critical authentication bypass vulnerability (CWE-288) affecting FortiOS and FortiProxy (FG-IR-24-535) allows remote attackers to obtain super admin privileges via Node.js WebSocket traffic.

Arctic Wolf observed a campaign dubbed “Console Chaos” that targets FortiGate devices with management interfaces exposed to the internet. Attackers authenticated via jsconsole sessions, created super admin users, adjusted SSL VPN configurations and dumped domain credentials.

Fortinet has released patches to address the issue. Use the following table to assess the course of action based on the software version of devices.

Version

Affected

Solution

FortiOS 6.4

Not affected

Not Applicable

FortiOS 7.0

7.0.0 through 7.0.16

Upgrade to 7.0.17 or above

FortiOS 7.2

Not affected

Not Applicable

FortiOS 7.4

Not affected

Not Applicable

FortiOS 7.6

Not affected

Not Applicable

FortiProxy 2.0

Not affected

Not Applicable

FortiProxy 7.0

7.0.0 through 7.0.19

Upgrade to 7.0.20 or above

FortiProxy 7.2

7.2.0 through 7.2.12

Upgrade to 7.2.13 or above

FortiProxy 7.4

Not affected

Not Applicable

FortiProxy 7.6

Not affected

Not Applicable

Based on reporting of the ‘Console Chaos’ campaign, the following timeline describes the activity surrounding attacks using CVE-2024-55591. Based on our internet monitoring capability, Kroll believes that the campaign has been ongoing since at least November 1, 2024. 

Timeline of Observed Exploitation and Patch Release

Date

Activity

11-01-2024 to 11-23-2024

Using NetFlow data, Kroll observes connections to FortiGate appliances from actor-controlled infrastructure that match reconnaissance activity. It is possible that this activity started earlier, but without access to the devices this is not possible to confirm. Kroll continues to investigate.

11-16-2024 to 11-23-2024

Arctic Wolf reports scanning on public FortiGate management interfaces.

11-22-2024 to 11-27-2024

Arctic Wolf reports first signs of unauthorized system.console edits via jsconsole.

12-04-2024 to 12-07-2024

Arctic Wolf reports attackers created admin accounts and SSL VPN portals, establishing direct tunnels.

12-16-2024 to 12-27-2024

Arctic Wolf reports threat actors conduct lateral movement in victim networks, including DCSync for AD credential theft.

01-14-2025

Fortinet Product Security Incident Response Team (PSIRT) advisory made public (FG-IR-24-535).

Kroll threat intelligence has been investigating this campaign and will update reporting with additional information in due course. Kroll has been tracking this campaign as KTAC007. Kroll assesses that the campaign is opportunistic and is not confined to any industry or geography. Due to the large attack surface with millions of FortiGate services available on the internet, attackers will likely continue to use CVE-2024-55591 to compromise as many devices as possible before a patch is applied.

Kroll has been actively hunting for this activity and is confident in its ability to detect malicious activity associated with this campaign.

Recommendations

  • Update FortiOS and FortiProxy appliances according to vendor advisory.
  • Restrict access to the management console from WAN. Mitigations are also available in the advisory.
  • Contact Kroll if you wish to discuss devices believed to be compromised.
Stay Ahead With Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Computer Forensics

24/7 Managed SIEM Services

Detect and shut down threats faster with Managed Security Information and Event Management (SIEM) management from Kroll. Gain true insight into threats with real-time threat monitoring for visibility of security events throughout your organization’s network.

24/7 Managed SIEM Services

CyberDetectER

Turnkey monitoring and intelligence solutions to help your organization control its reputation, pre-empt data loss, prevent fraud and respond to vulnerabilities. Proactively monitor, detect and respond to threats virtually anywhere - across endpoints and throughout the surface, deep and dark web, with CyberDetectER.

CyberDetectER

24x7 Endpoint Detection and Response

Intelligent Endpoint detection and response: Maximum confidence in data security

24x7 Endpoint Detection and Response

Managed Security Services

World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.

Managed Security Services

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

Cyber Threat Intelligence

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2025 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top