The National Cyber Security Centre (NCSC) has reported a significant surge in ransomware attacks targeting critical vulnerabilities in FortiOS and FortiProxy devices. Identified as CVE-2024-55591 and CVE-2025-24472, these vulnerabilities allow attackers to gain unauthenticated super_admin privileges and establish long-term persistence on compromised systems. A public exploit has been available since January 27, 2025, increasing the risk of widespread attacks[1][2].
TL;DR
- Vulnerabilities: CVE-2024-55591 and CVE-2025-24472 in FortiOS and FortiProxy.
- Impact: Attackers can gain super_admin privileges and establish persistence.
- Exploit: Publicly available since January 27, 2025.
- Affected Systems: FortiOS devices running versions below 7.0.16.
- Recommendations: Patch systems, restrict access to management interfaces, and follow NCSC guidelines.
Technical Details of the Vulnerabilities
The vulnerabilities CVE-2024-55591 and CVE-2025-24472 are classified as critical due to their potential to provide unauthorized access to network devices. CVE-2024-55591 involves an authentication bypass in the Node.js websocket module, allowing attackers to gain super_admin privileges by sending a specially crafted request[3]. CVE-2025-24472 enables attackers to create persistence through a backdoor, including a Super_Admin account and an additional VPN user account[4].
Proof of Concept (PoC)
A simple PoC for CVE-2024-55591 can be implemented using Python:
import requests
target_url = "http://<target_ip>:<port>/api/v2/cmdb/system/admin"
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer <malicious_token>"
}
payload = {
"username": "super_admin",
"password": "hacked_password",
"access": "super_admin"
}
response = requests.post(target_url, headers=headers, json=payload)
print(response.status_code)
print(response.text)
This code simulates an attacker sending a specially crafted request to gain super_admin privileges.
Impact on Affected Systems
The vulnerabilities primarily affect FortiOS devices running versions below 7.0.16 and devices with exposed management interfaces. Successful exploitation allows attackers to:
- Fully compromise the network.
- Steal data before encryption.
- Encrypt critical servers and files for financial extortion[5].
Relevance for Red Teamers and Blue Teamers
For Red Teamers, these vulnerabilities provide an opportunity to test the effectiveness of existing security measures. It is essential to check if systems are vulnerable to these exploits and implement recommended mitigation strategies.
For Blue Teamers and SOC Analysts, it is crucial to:
- Monitor logs for suspicious activities, such as unauthorized access attempts.
- Improve patch management to ensure systems are up-to-date.
- Restrict access to management interfaces to trusted hosts.
Recommended Measures
The NCSC has released a flowchart outlining steps to mitigate these vulnerabilities[6]. Key measures include:
- Patch systems: Install the latest updates for FortiOS and FortiProxy.
- Restrict access: Limit access to management interfaces to trusted hosts.
- Monitor logs: Keep an eye on logs for suspicious activities.
- Implement network segmentation: Limit the impact of a potential compromise.
Conclusion
The vulnerabilities in FortiOS and FortiProxy pose a significant risk to organizations worldwide. With a publicly available exploit, it is crucial for organizations to act swiftly to protect their systems. By implementing the recommended measures, Red Teamers, Blue Teamers, and SOC Analysts can minimize the impact of these vulnerabilities and enhance the overall security of their networks.
References
- “Kwetsbaarheid in FortiOS en FortiProxy leidt tot ransomware-aanvallen”. Nationaal Cyber Security Centrum (NCSC). 21 maart 2025.
- Witold Kepinski. “Kwetsbaarheid in FortiOS en FortiProxy leidt tot ransomware-aanvallen”. LinkedIn. 22 maart 2025.
- “Kritieke kwetsbaarheden in Fortinet FortiOS en FortiProxy”. TechVisor. 14 maart 2024.
- “Nederland telt honderden Fortinet-apparaten met actief aangevallen lek”. Security.nl.
- “Fortinet: Cybercrime-as-a-Service-groepen specialiseren zich in 2025”. Dutch IT Channel. 12 december 2024.
- “Home | Nationaal Cyber Security Centrum”. NCSC.
