Freely subscribe to our NEWSLETTER

Spike in Fortinet CVE-2024-55591 Vulnerability Rapidly Increased in the past Week
The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2024-55591, a Fortinet vulnerability that affects FortiWAN versions before 5.3.2. First seen on April 23rd, the CrowdSec Network still sees elevated levels of probing and exploitation.

About the exploit
This flaw allows remote attackers to perform unauthenticated command injection on exposed FortiWAN instances. This vulnerability affects FortiWAN versions prior to 5.3.2. It enables attackers to execute arbitrary commands via crafted HTTP requests — no authentication required.
Key findings
• The CrowdSec Network first detected a shift in the CVE-2024-55591 exploitation attempts on April 23rd.
• This particular campaign is being perpetrated by benign actors such as The Shadowserver Foundation and Hadrian.
• There was a drop in exploitation attempts on April 29th, which the CrowdSec Network suspects is due to an infrastructure transition at the Shadowserver Foundation, where the scan campaign was switched from a test cluster to a standing scanning campaign infrastructure.
• The CrowdSec decentralized detection network spotted this wave early and made all the information available on CrowdSec CTI, where it is currently tracking hundreds of IPs tied to this campaign.
Trend analysis
• April 23rd: The CrowdSec Network detects a shift in the long-term trend of CVE-2024-55591 exploits.
...