Numerous critical security flaws in Fortinet products have left thousands of organizations worldwide vulnerable to cyberattacks. The most dangerous vulnerability, CVE-2024-55591, affects both FortiOS and FortiProxy, allowing remote attackers to gain super-admin privileges without even breaking a sweat. This flaw has been exploited in the wild since November 2024. Must be nice for hackers to have such an easy way in.
Over 48,000 internet-facing devices are potentially at risk. That’s not a typo. Forty-eight thousand. The vulnerability impacts FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Users need to update to FortiOS 7.0.17+ or FortiProxy 7.2.13+ to patch this flaw. Good luck with that deployment schedule.
Over 48,000 Fortinet devices exposed to hackers. Update now if you can navigate that deployment nightmare.
But wait, there’s more! Remote code execution vulnerabilities are sprinkled throughout Fortinet’s product line like unwelcome party favors. CVE-2025-24470 in FortiPortal enables unauthenticated source code retrieval. CVE-2024-35279 introduces a stack-based buffer overflow in FortiOS CAPWAP control. And the hits keep coming.
The privilege escalation issues aren’t any better. CVE-2024-40591 allows admins to escalate to super-admin privileges. Another flaw, CVE-2025-24472, provides authentication bypass via CSF proxy requests. Both were fixed in January 2024 updates. Better late than never, right? Organizations that fall victim may face devastating consequences, as recovery time from breaches averages 277 days without proper security measures in place.
In the real world, attackers are using these flaws to create unauthorized admin accounts, modify firewall policies, and gain internal network access. The vulnerability is related to issues in the Node.js websocket module. At least 50 organizations have already been compromised across various industries. The attackers aren’t just getting in – they’re making themselves at home.
Fortinet urges immediate patching and recommends disabling HTTP/HTTPS administrative interfaces. They also suggest restricting admin access using local-in policies. Because nothing says “secure system” like having to shut down its management interfaces completely. The attack timeline revealed a concerning pattern of vulnerability scanning phase between November 16-23, followed by reconnaissance and eventual lateral movement across networks.
