{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-003.pdf"
    },
    "title": "Critical Vulnerabilities in Fortinet Products",
    "serial_number": "2025-003",
    "publish_date": "15-01-2025 13:26:10",
    "description": "On January 14, Fortinet released and updated several security advisories addressing multiple vulnerabilities ranging from low to critical severity. At least one critical vulnerability is known to be exploited in the wild.<br>\nIt recommended updating as soon as possible, and if not possible, at least applying mitigations.<br>\n",
    "url_title": "2025-003",
    "content_markdown": "---    \ntitle: 'Critical Vulnerabilities in\u00a0Fortinet\u00a0Products'\nnumber: '2025-003'\nversion: '1.0'\noriginal_date: '2025-01-14'\ndate: '2025-01-15'\n---\n\n_History:_\n\n* _15/01/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 14, Fortinet released and updated several security advisories addressing multiple vulnerabilities ranging from low to critical severity [1]. At least one critical vulnerability is known to be exploited in the wild.\n\nIt recommended updating as soon as possible, and if not possible, at least applying mitigations.\n\n# Technical Details\n\n- The vulnerability **CVE-2024-55591**, with a CVSS score of 9.6, is an authentication bypass in `Node.js` websocket module in FortiOS and FortiProxy which allow a remote attacker to gain super-admin privileges via crafted requests to `Node.js` websocket module. This vulnerability affects the management interface. This vulnerability is exploited in the wild [2].\n- The vulnerability **CVE-2023-37936**, with a CVSS score of 9.6, is a use of hard-coded cryptographic key vulnerability in FortiSwitch and allows a remote unauthenticated attacker in possession of the key to execute unauthorised code via crafted cryptographic requests [3].\n\nFortinet also addresses 13 other high severity vulnerabilities.\n\n# Affected Products\n\n- The vulnerability **CVE-2024-55591** affects FortiOS versions 7.0.0 through 7.0.16, and FortiProxy 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.\n- The vulnerability **CVE-2023-37936** affects FortiSwitch versions:\n    - 6.0.0 through 6.0.7;\n    - 6.2.0 through 6.2.7;\n    - 6.4.0 through 6.4.13;\n    - 7.0.0 through 7.0.7;\n    - 7.2.0 through 7.2.5;\n    - 7.4.0.\n\n# Recommendations\n\nIt is recommended updating as soon as possible. Considering that the vulnerability **CVE-2024-55591** is exploited in the wild, it recommended to look for indicators of compromise (IoCs). When IoCs are found, it is recommended to trigger the Incident Response process.\n\n## Detection\n\nFortinet has provided possible IoCs to look for potential exploitation of the vulnerability **CVE-2024-55591**:\n\n### In the logs\n\n- Following login activity log with random `scrip` and `dstip`:\n\n```\ntype=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Admin login successful\" sn=\"1733486785\" user=\"admin\" ui=\"jsconsole\" method=\"jsconsole\" srcip=1.1.1.1 dstip=1.1.1.1 action=\"login\" status=\"success\" reason=\"none\" profile=\"super_admin\" msg=\"Administrator admin logged in successfully from jsconsole\"\n```\n\n- Following admin creation log with seemingly randomly generated user name and source IP:\n\n```\ntype=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Object attribute configured\" user=\"admin\" ui=\"jsconsole(127.0.0.1)\" action=\"Add\" cfgtid=1411317760 cfgpath=\"system.admin\" cfgobj=\"vOcep\" cfgattr=\"password[*]accprofile[super_admin]vdom[root]\" msg=\"Add system.admin vOcep\"\n```\n\nThe following IP addresses were mostly found used by attackers in the above logs:\n\n- `1.1.1.1`\n- `127.0.0.1`\n- `2.2.2.2`\n- `8.8.8.8`\n- `8.8.4.4`\n\n_Please note that the above IP parameters are under attacker control and therefore can be any other IP address. Please note as well that sn and `cfgtid` are not relevant to the attack._\n\n- Logging in the `sslvpn` with the above added local users to get a tunnel to the internal network. the Threat Action has been seen using the following IP addresses:\n    - `45.55.158.47` [most used IP address]\n    - `87.249.138.47`\n    - `155.133.4.175`\n    - `37.19.196.65`\n    - `149.22.94.37`\n\n### In the device configuration\n\nThe operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:\n\n- Creating an admin account on the device with random user name\n- Creating a Local user account on the device with random user name\n- Creating a user group or adding the above local user to an existing sslvpn user group\n- Adding/changing other settings (firewall policy, firewall address, ...)\n\n## Workarounds\n\nAs a workaround, Fortinet recommends to disable HTTP/HTTPS administrative interface or Limit IP addresses that can reach the administrative interface via local-in policies [2].\n\n# References\n\n[1] <https://www.fortiguard.com/psirt?filter=1&product=FortiOS-6K7K%2CFortiOS&product=FortiSwitch&product=FortiSwitchManager&product=FortiAP&product=FortiAP-U&product=FortiAP-W2&product=FortiAP-S&product=FortiAP-C&product=FortiManager&product=FortiAnalyzer&product=FortiAnalyzer-BigData&product=FortiManager+Cloud&product=FortiAnalyzer+Cloud&product=FortiSandbox&product=FortiExtender&version=&date=2025>\n\n[2] <https://www.fortiguard.com/psirt/FG-IR-24-535>\n\n[3] <https://www.fortiguard.com/psirt/FG-IR-23-260>",
    "content_html": "<p><em>History:</em></p><ul><li><em>15/01/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 14, Fortinet released and updated several security advisories addressing multiple vulnerabilities ranging from low to critical severity [1]. At least one critical vulnerability is known to be exploited in the wild.</p><p>It recommended updating as soon as possible, and if not possible, at least applying mitigations.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>The vulnerability <strong>CVE-2024-55591</strong>, with a CVSS score of 9.6, is an authentication bypass in <code>Node.js</code> websocket module in FortiOS and FortiProxy which allow a remote attacker to gain super-admin privileges via crafted requests to <code>Node.js</code> websocket module. This vulnerability affects the management interface. This vulnerability is exploited in the wild [2].</li><li>The vulnerability <strong>CVE-2023-37936</strong>, with a CVSS score of 9.6, is a use of hard-coded cryptographic key vulnerability in FortiSwitch and allows a remote unauthenticated attacker in possession of the key to execute unauthorised code via crafted cryptographic requests [3].</li></ul><p>Fortinet also addresses 13 other high severity vulnerabilities.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>The vulnerability <strong>CVE-2024-55591</strong> affects FortiOS versions 7.0.0 through 7.0.16, and FortiProxy 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.</li><li>The vulnerability <strong>CVE-2023-37936</strong> affects FortiSwitch versions: <ul><li>6.0.0 through 6.0.7;</li><li>6.2.0 through 6.2.7;</li><li>6.4.0 through 6.4.13;</li><li>7.0.0 through 7.0.7;</li><li>7.2.0 through 7.2.5;</li><li>7.4.0.</li></ul></li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating as soon as possible. Considering that the vulnerability <strong>CVE-2024-55591</strong> is exploited in the wild, it recommended to look for indicators of compromise (IoCs). When IoCs are found, it is recommended to trigger the Incident Response process.</p><h3 id=\"detection\">Detection</h3><p>Fortinet has provided possible IoCs to look for potential exploitation of the vulnerability <strong>CVE-2024-55591</strong>:</p><h4 id=\"in-the-logs\">In the logs</h4><ul><li>Following login activity log with random <code>scrip</code> and <code>dstip</code>:</li></ul><pre><code>type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Admin login successful\" sn=\"1733486785\" user=\"admin\" ui=\"jsconsole\" method=\"jsconsole\" srcip=1.1.1.1 dstip=1.1.1.1 action=\"login\" status=\"success\" reason=\"none\" profile=\"super_admin\" msg=\"Administrator admin logged in successfully from jsconsole\"\n</code></pre><ul><li>Following admin creation log with seemingly randomly generated user name and source IP:</li></ul><pre><code>type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Object attribute configured\" user=\"admin\" ui=\"jsconsole(127.0.0.1)\" action=\"Add\" cfgtid=1411317760 cfgpath=\"system.admin\" cfgobj=\"vOcep\" cfgattr=\"password[*]accprofile[super_admin]vdom[root]\" msg=\"Add system.admin vOcep\"\n</code></pre><p>The following IP addresses were mostly found used by attackers in the above logs:</p><ul><li><code>1.1.1.1</code></li><li><code>127.0.0.1</code></li><li><code>2.2.2.2</code></li><li><code>8.8.8.8</code></li><li><code>8.8.4.4</code></li></ul><p><em>Please note that the above IP parameters are under attacker control and therefore can be any other IP address. Please note as well that sn and <code>cfgtid</code> are not relevant to the attack.</em></p><ul><li>Logging in the <code>sslvpn</code> with the above added local users to get a tunnel to the internal network. the Threat Action has been seen using the following IP addresses: <ul><li><code>45.55.158.47</code> [most used IP address]</li><li><code>87.249.138.47</code></li><li><code>155.133.4.175</code></li><li><code>37.19.196.65</code></li><li><code>149.22.94.37</code></li></ul></li></ul><h4 id=\"in-the-device-configuration\">In the device configuration</h4><p>The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:</p><ul><li>Creating an admin account on the device with random user name</li><li>Creating a Local user account on the device with random user name</li><li>Creating a user group or adding the above local user to an existing sslvpn user group</li><li>Adding/changing other settings (firewall policy, firewall address, ...)</li></ul><h3 id=\"workarounds\">Workarounds</h3><p>As a workaround, Fortinet recommends to disable HTTP/HTTPS administrative interface or Limit IP addresses that can reach the administrative interface via local-in policies [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt?filter=1&product=FortiOS-6K7K%2CFortiOS&product=FortiSwitch&product=FortiSwitchManager&product=FortiAP&product=FortiAP-U&product=FortiAP-W2&product=FortiAP-S&product=FortiAP-C&product=FortiManager&product=FortiAnalyzer&product=FortiAnalyzer-BigData&product=FortiManager+Cloud&product=FortiAnalyzer+Cloud&product=FortiSandbox&product=FortiExtender&version=&date=2025\">https://www.fortiguard.com/psirt?filter=1&amp;product=FortiOS-6K7K%2CFortiOS&amp;product=FortiSwitch&amp;product=FortiSwitchManager&amp;product=FortiAP&amp;product=FortiAP-U&amp;product=FortiAP-W2&amp;product=FortiAP-S&amp;product=FortiAP-C&amp;product=FortiManager&amp;product=FortiAnalyzer&amp;product=FortiAnalyzer-BigData&amp;product=FortiManager+Cloud&amp;product=FortiAnalyzer+Cloud&amp;product=FortiSandbox&amp;product=FortiExtender&amp;version=&amp;date=2025</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-24-535\">https://www.fortiguard.com/psirt/FG-IR-24-535</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-23-260\">https://www.fortiguard.com/psirt/FG-IR-23-260</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}