🔴 CVE-2024-55591

Critical authentication bypass vulnerability in Fortinet FortiOS and FortiProxy allows remote attackers to gain super-admin privileges via crafted requests to Node.js websocket module. This vulnerability is actively exploited in the wild and listed in CISA KEV.

← Back to Overview
HIGH_RISK
Risk Level
9.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+506d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-01-14

Added to CISA KEV: 2025-01-14 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2024-55591 is a critical authentication bypass vulnerability (CVSS 9.8) affecting specific versions of Fortinet's FortiOS and FortiProxy products [1] [5].

Vulnerability Overview
  • Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288) [1].
  • Impact: A remote, unauthenticated attacker can gain super-admin privileges on the affected device [1]. This allows for full control over the device, including the ability to execute arbitrary CLI commands [2].
Attack Method and Requirements
  • Exploitation: The vulnerability exists within the Node.js WebSocket module used by the device's management interface [1].
  • Method: Attackers send specially crafted requests to the WebSocket interface. Proof-of-concept research indicates that the exploit involves brute-forcing WebSocket connections to trigger a race condition, which, combined with the authentication bypass, grants unauthenticated access to the CLI [2].
  • Requirements: It is a remote attack; no user interaction is required [1].
Affected Versions
  • FortiOS: Versions 7.0.0 through 7.0.16 [1].
  • FortiProxy: Versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 [1].
Exploitation and Threat Intelligence
  • PoC Availability: Multiple proof-of-concept (PoC) scripts have been made publicly available on platforms like GitHub, enabling researchers and potentially attackers to test or exploit the vulnerability [4] [6].
  • Active Exploitation: The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming that it has been exploited in the wild [1].
  • Usage: While specific details on ransomware or targeted campaigns using this CVE are often documented in private threat intelligence reports, its inclusion in the CISA KEV catalog indicates it is a high-priority target for malicious actors.
Mitigation
Users are strongly advised to check their device versions against the affected list and apply the patches provided by Fortinet. For official guidance and specific patch versions, refer to the [FortiGuard PSIRT advisory (FG-IR-24-535)](https://www.fortiguard.com/psirt/FG-IR-24-535) [3].

Sources

  1. NVD - CVE-2024-55591

    An official website of the United States government Here's how you know ... CVE-2024-55591 Detail. Description. An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 thr…

  2. fortios-auth-bypass-poc-CVE-2024-55591/README.md at main...

    CVE-2024-55591. A Fortinet FortiOS Authentication Bypass Proof of Concept.FAKESERIAL # FAKESERIAL # get system status Version: FortiGate-VM64-AWS v7.0.16,build0667,241001 (GA.M) Security Level: High Firmware Signature: certified Virus-DB: 1.00000(2018-04-09 18:07). Description. This script is a proo…

  3. Authentication bypass in Node.js websocket module - FortiGuard Labs

    An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super- ...

  4. watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591 - GitHub

    Contribute to watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591 development by creating an account on GitHub.

  5. virus-or-not/CVE-2024-55591 - GitHub

    CVE-2024-55591 is an authentication bypass vulnerability caused by an alternative path or channel (CWE-288). The vulnerability affects FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12. A remote attacker can exploit this flaw to gain super-admin privileges…

  6. GitHub - exfil0/CVE-2024-55591-POC: A comprehensive all-in-one...

    Vulnerability Summary. CVE-2024-55591 is a critical authentication bypass in certain Fortinet products (FortiOS & FortiProxy). By exploiting a flaw in the WebSocket/Telnet management interface, an attacker can gain privileged CLI access without valid credentials. Affected Versions.A comprehensive al…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed