Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: FORTINET PATCHED CRITICAL VULNERABILITIES, ONE OF WHICH IS ALREADY BEING ACTIVELY EXPLOITED, PATCH IMMEDIATELY!
Image
Published : 15/01/2025
Reference:
Advisory #2025-011
Version:
1.0
Affected software:
Multiple Fortinet Products
Type:
Multiple types, including Remote Code Execution
CVE/CVSS:
CVE-2024-55591: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Fortinet - https://www.fortiguard.com/psirt
Risks
Fortinet has released patches addressing multiple critical vulnerabilities affecting its products. Among these, one vulnerability has already been identified as actively exploited in the wild, posing a significant risk to affected systems.
It is essential for organizations using Fortinet products to review the available updates and apply them immediately to mitigate potential security threats. This advisory provides details on the vulnerabilities, their potential impact, and the necessary steps to safeguard your systems.
The actively exploited vulnerability is an authentication bypass in FortiOS and FortiProxy, which could allow a remote attacker to gain super-admin privileges through specially crafted requests to the Node.js websocket module.
Description
CVE-2024-55591 – FortiOS and FortiProxy – Actively exploited
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild. This vulnerability has been assigned a CVSSv3 score of 9.8.
Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591.
CVE-2023-37936 – FortiSwitch
The vulnerability could allow remote, unauthenticated attackers to execute arbitrary code on vulnerable devices, potentially leading to complete network compromise.
The vulnerability stems from the use of a hardcoded cryptographic key in the affected FortiSwitch versions. Attackers with knowledge of this key can craft malicious requests to exploit the flaw and gain complete control over the device. This vulnerability has been assigned a CVSSv3 score of 9.8.
CVE-2024-46662 – FortiManager
A vulnerability in FortiManager's csfd daemon, caused by improper neutralization of special elements in an OS command, could allow an authenticated attacker to execute unauthorized commands by sending specially crafted packets. This vulnerability has been assigned a CVSSv3 score of 8.8.
CVE-2024-35277 – FortiManager and FortiPortal
A vulnerability in FortiManager and FortiPortal, caused by missing authentication for a critical function, could allow a remote, unauthenticated attacker to access the configuration of all managed devices. This vulnerability has been assigned a CVSSv3 score of 8.6.
CVE-2024-35277 – FortiManager and FortiAnalyze
A relative path traversal vulnerability in FortiManager and FortiAnalyzer could allow a remote attacker with limited privileges to execute unauthorized code through specially crafted HTTP requests. This vulnerability has been assigned a CVSSv3 score of 8.6.
Other vulnerabilities
Fortinet has also addressed several other vulnerabilities. If you use a Fortinet device, please review their advisory page and ensure all your products are updated to the latest versions.
Fortinet advisories: https://www.fortiguard.com/psirt
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
FortiGuard - https://www.fortiguard.com/psirt/FG-IR-23-260
FortiGuard - https://www.fortiguard.com/psirt/FG-IR-24-535
SecurityOnline - https://securityonline.info/cve-2023-37936-cvss-9-6-urgent-patch-needed-for-fortiswitch-vulnerability/