CVE-2024-55591
Published: 14 January 2025
Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Security Summary
CVE-2024-55591 is an authentication bypass vulnerability using an alternate path or channel (CWE-288) that affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 as well as 7.2.0 through 7.2.12. The issue stems from the Node.js websocket module, where crafted requests enable attackers to circumvent authentication controls.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants super-admin privileges, potentially allowing full compromise of the affected device.
Fortinet's PSIRT advisory (FG-IR-24-535) details the vulnerability and mitigation steps, including upgrading to patched versions. The flaw is also listed in CISA's Known Exploited Vulnerabilities Catalog, signaling active exploitation and recommending immediate remediation by federal agencies and critical infrastructure operators.
Its inclusion in CISA's KEV catalog highlights real-world exploitation risks, underscoring the urgency for Fortinet users to apply available patches.
Details
- CWE(s)
- KEV Date Added
- 14 January 2025