CVE-2024-55591

CVE-2024-55591 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-01-14). The underlying weakness is classified as CWE-288.

Key facts

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

CVE-2024-55591: FortiOS/FortiProxy Authentication Bypass via Node.js WebSocket Module

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-55591
CVSS v3 9.8 (Critical)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
EPSS 0.98259
KEV Listed (2025-01-14)
Exploited in EU Yes (since 2025-01-14)
Published 2025-01-14

Summary

FortiOS and FortiProxy contain an authentication bypass vulnerability in the Node.js WebSocket module that allows unauthenticated remote attackers to gain super-admin privileges.

Background

Fortinet's FortiOS is the operating system powering FortiGate next-generation firewalls, while FortiProxy is a secure web gateway product. Both products incorporate a Node.js-based WebSocket module for handling real-time communication. In January 2025, Fortinet disclosed a critical vulnerability where this module fails to properly enforce authentication, allowing attackers to bypass access controls entirely.

Root Cause

The vulnerability is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. The root cause lies in the Node.js WebSocket module's authentication handling, which permits an alternate communication path that does not require valid credentials. This allows an attacker to reach privileged administrative functionality without presenting legitimate authentication tokens, effectively creating an unauthenticated backdoor to super-admin capabilities.

Impact

With a CVSS v3 score of 9.8 (Critical), this vulnerability has the highest possible impact across all three core security metrics:

  • Confidentiality: HIGH — Complete data disclosure is possible
  • Integrity: HIGH — Complete loss of integrity is possible
  • Availability: HIGH — Complete system downtime is possible

The attack vector is Network, requires Low complexity, No privileges, and No user interaction, making this trivially exploitable by any remote attacker.

Exploitation Walkthrough

Note: This section is provided for defensive awareness only. The following describes the attack pattern in generic terms to aid detection and mitigation; it does not contain actionable exploit code. Attempting to exploit systems without authorization is illegal and unethical.

The attack proceeds through the following conceptual stages:

  1. Reconnaissance — The attacker identifies an exposed FortiOS or FortiProxy administrative interface that includes the WebSocket endpoint.
  2. WebSocket Handshake — A crafted WebSocket connection request is sent to the Node.js module. Due to the authentication bypass, the handshake succeeds without presenting valid credentials.
  3. Privilege Escalation — Through the established WebSocket channel, the attacker interacts with administrative APIs that should require super-admin authentication, effectively operating with the highest level of privilege.
  4. Post-Exploitation — With super-admin access, the attacker may modify firewall policies, exfiltrate configurations, create persistent backdoor accounts, or pivot deeper into the network.

Affected and Patched Versions

Affected:

  • FortiOS version 7.0.0 through 7.0.16
  • FortiProxy version 7.0.0 through 7.0.19
  • FortiProxy version 7.2.0 through 7.2.12

Patched Versions: Not explicitly specified in the available NVD data. Administrators should consult the Fortinet PSIRT advisory (FG-IR-24-535) for the exact patched releases and apply the latest firmware updates immediately.

Remediation

  1. Upgrade immediately — Apply the latest FortiOS and FortiProxy patches as specified by Fortinet PSIRT. Given active exploitation, this should be treated as an emergency change.
  2. Restrict management access — Limit administrative interface exposure to trusted management networks only. Do not expose management interfaces to the public internet.
  3. WebSocket filtering — If the WebSocket module is not required, disable or restrict it through administrative configuration.
  4. Monitor for unauthorized access — Review authentication logs for anomalous successful logins or privileged operations from unexpected sources.
  5. Compensating controls — Deploy network segmentation to isolate Fortinet management interfaces behind jump servers or VPN concentrators.

Detection

  • Monitor WebSocket connection logs for unauthorized handshakes to administrative endpoints.
  • Alert on privileged configuration changes initiated from unusual source IPs or without corresponding MFA events.
  • Check for newly created admin accounts or modified firewall policies.
  • Hunt for outbound connections from FortiGate/FortiProxy management interfaces that may indicate post-exploitation data exfiltration.

Assessment

With an EPSS score of 0.98259, this vulnerability is being actively and widely exploited. Its presence on the CISA KEV catalog (added 2025-01-14) and confirmed EU exploited status (since 2025-01-14) further confirm in-the-wild abuse.

Key lessons:

  1. Authentication must be enforced at every entry point — Even auxiliary modules like WebSocket handlers require the same rigorous authentication as primary login flows.
  2. Emergency patching is justified by data — When EPSS exceeds 0.95 and KEV confirmation exists, the risk of waiting for a standard maintenance window far exceeds the risk of an emergency change.

References

Frequently asked questions

What is CVE-2024-55591?
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
How severe is CVE-2024-55591?
CVE-2024-55591 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-55591 being actively exploited?
Yes. CVE-2024-55591 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-01-14, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-55591?
CVE-2024-55591 primarily affects Fortinet Fortiproxy. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-55591?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-55591 have an EU (EUVD) identifier?
Yes. CVE-2024-55591 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52819. It is also flagged as exploited in the EUVD (since 2025-01-14).
When was CVE-2024-55591 published?
CVE-2024-55591 was published on 2025-01-14 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Fortinet Fortiproxy

All CVEs affecting Fortinet Fortiproxy →

Other CWE-288 vulnerabilities

Browse all CWE-288 vulnerabilities →