Fortinet Zero-Day Auth Bypass: Admin Takeover Without Credentials

Cybersecurity

CVE-2024-55591 let attackers create super-admin accounts on FortiOS without credentials. Volt Typhoon TTPs appeared in post-exploitation activity targeting critical infrastructure.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 2, 2024 · 9 min read

CVE-2024-55591 is an authentication bypass vulnerability in Fortinet FortiOS and FortiProxy that allows a remote, unauthenticated attacker to gain super-administrator privileges by sending specially crafted requests to the Node.js websocket module. The vulnerability carries a CVSS 3.1 base score of 9.8. Fortinet disclosed the issue in January 2024 under significant pressure after researchers identified mass exploitation already under way.

Technical Root Cause

The flaw lives in the websocket management interface (port 8443 by default). The Node.js module handling websocket upgrade requests does not correctly validate the authentication state before processing certain administrative API calls. An attacker sends a crafted websocket request that tricks the module into treating the connection as already authenticated at the highest privilege level, then issues API calls to create a new local admin account or modify existing ones.

Affected Products and Versions

• FortiOS 7.0.0 through 7.0.16 (patched in 7.0.17)
• FortiOS 7.2.0 through 7.2.9 (patched in 7.2.10)
• FortiProxy 7.0.0 through 7.0.19 (patched in 7.0.20)
• FortiProxy 7.2.0 through 7.2.12 (patched in 7.2.13)
• FortiOS 6.x and FortiProxy 1.x/2.x are NOT affected

Observed Volt Typhoon TTPs

Multiple incident response firms reported post-exploitation activity consistent with the Volt Typhoon threat cluster, a China-nexus actor focused on pre-positioning in critical infrastructure. The observed pattern included living-off-the-land behavior: use of built-in FortiOS diagnostic commands to map internal networks, extraction of VPN user credential hashes, and forwarding of firewall policy configurations to actor-controlled infrastructure.

• Creation of rogue admin accounts with randomized usernames
• SSL VPN user addition to maintain persistent access
• Modification of firewall policies to allow attacker egress routes
• JSCONSOLE and HTTPS used interchangeably to blend into normal traffic
• No custom malware dropped; fully living-off-the-land post-exploitation

Volt Typhoon avoided dropping binaries entirely. Every post-exploitation action used FortiOS built-in commands, making detection reliant on behavioral anomalies in admin audit logs rather than file-based signatures.

Detection Guidance

The primary detection surface is the FortiOS administrative audit log. Look for account creation events from non-RFC-1918 source IPs, especially via the websocket interface. Fortinet provided IOC patterns including suspicious username conventions such as Adm_xxxx or random alphanumeric strings created via API rather than the GUI.

Immediate Mitigations

1. Apply patches immediately: FortiOS 7.0.17, 7.2.10 or FortiProxy equivalents
2. Disable HTTP/HTTPS management access from the internet if not yet patched
3. Audit all local admin accounts for unexpected entries
4. Rotate all VPN user credentials and SSL certificate private keys
5. Restrict management access to dedicated management VLAN with MFA

Why Management Interfaces Must Never Be Internet-Facing

Fortinet's advisory noted that organizations with the management interface exposed directly to the internet were disproportionately affected. This is a recurring pattern across security appliance vulnerabilities. Management planes are not designed to resist adversarial inputs from untrusted networks. Defense-in-depth requires a separate, access-controlled management VLAN even when the vendor does not explicitly mandate it.

• Use jump hosts or bastion servers for all appliance administration
• Apply per-source IP allowlisting at the management interface level
• Enable two-factor authentication for all administrative accounts
• Monitor admin interface access logs in real time via SIEM

Post-Incident Recovery Checklist

1. Assume compromise if device was internet-exposed during the vulnerable window
2. Capture a forensic image of the device before patching
3. Remove and audit all local admin accounts
4. Revoke and reissue all VPN user credentials
5. Review firewall policy changes in audit logs for the prior 90 days
6. Notify downstream users who authenticated via the compromised device

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.