CVE-2024-55591
CVE-2024-55591 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-01-14). The underlying weakness is classified as CWE-288.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-01-14)
- EU (EUVD) id: EUVD-2024-52819
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-01-14)
- Weakness: CWE-288
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
CVE-2024-55591: FortiOS/FortiProxy Authentication Bypass via Node.js WebSocket Module
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-55591 |
| CVSS v3 | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-288 (Authentication Bypass Using an Alternate Path or Channel) |
| EPSS | 0.98259 |
| KEV | Listed (2025-01-14) |
| Exploited in EU | Yes (since 2025-01-14) |
| Published | 2025-01-14 |
Summary
FortiOS and FortiProxy contain an authentication bypass vulnerability in the Node.js WebSocket module that allows unauthenticated remote attackers to gain super-admin privileges.
Background
Fortinet's FortiOS is the operating system powering FortiGate next-generation firewalls, while FortiProxy is a secure web gateway product. Both products incorporate a Node.js-based WebSocket module for handling real-time communication. In January 2025, Fortinet disclosed a critical vulnerability where this module fails to properly enforce authentication, allowing attackers to bypass access controls entirely.
Root Cause
The vulnerability is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. The root cause lies in the Node.js WebSocket module's authentication handling, which permits an alternate communication path that does not require valid credentials. This allows an attacker to reach privileged administrative functionality without presenting legitimate authentication tokens, effectively creating an unauthenticated backdoor to super-admin capabilities.
Impact
With a CVSS v3 score of 9.8 (Critical), this vulnerability has the highest possible impact across all three core security metrics:
- Confidentiality: HIGH — Complete data disclosure is possible
- Integrity: HIGH — Complete loss of integrity is possible
- Availability: HIGH — Complete system downtime is possible
The attack vector is Network, requires Low complexity, No privileges, and No user interaction, making this trivially exploitable by any remote attacker.
Exploitation Walkthrough
Note: This section is provided for defensive awareness only. The following describes the attack pattern in generic terms to aid detection and mitigation; it does not contain actionable exploit code. Attempting to exploit systems without authorization is illegal and unethical.
The attack proceeds through the following conceptual stages:
- Reconnaissance — The attacker identifies an exposed FortiOS or FortiProxy administrative interface that includes the WebSocket endpoint.
- WebSocket Handshake — A crafted WebSocket connection request is sent to the Node.js module. Due to the authentication bypass, the handshake succeeds without presenting valid credentials.
- Privilege Escalation — Through the established WebSocket channel, the attacker interacts with administrative APIs that should require super-admin authentication, effectively operating with the highest level of privilege.
- Post-Exploitation — With super-admin access, the attacker may modify firewall policies, exfiltrate configurations, create persistent backdoor accounts, or pivot deeper into the network.
Affected and Patched Versions
Affected:
- FortiOS version 7.0.0 through 7.0.16
- FortiProxy version 7.0.0 through 7.0.19
- FortiProxy version 7.2.0 through 7.2.12
Patched Versions: Not explicitly specified in the available NVD data. Administrators should consult the Fortinet PSIRT advisory (FG-IR-24-535) for the exact patched releases and apply the latest firmware updates immediately.
Remediation
- Upgrade immediately — Apply the latest FortiOS and FortiProxy patches as specified by Fortinet PSIRT. Given active exploitation, this should be treated as an emergency change.
- Restrict management access — Limit administrative interface exposure to trusted management networks only. Do not expose management interfaces to the public internet.
- WebSocket filtering — If the WebSocket module is not required, disable or restrict it through administrative configuration.
- Monitor for unauthorized access — Review authentication logs for anomalous successful logins or privileged operations from unexpected sources.
- Compensating controls — Deploy network segmentation to isolate Fortinet management interfaces behind jump servers or VPN concentrators.
Detection
- Monitor WebSocket connection logs for unauthorized handshakes to administrative endpoints.
- Alert on privileged configuration changes initiated from unusual source IPs or without corresponding MFA events.
- Check for newly created admin accounts or modified firewall policies.
- Hunt for outbound connections from FortiGate/FortiProxy management interfaces that may indicate post-exploitation data exfiltration.
Assessment
With an EPSS score of 0.98259, this vulnerability is being actively and widely exploited. Its presence on the CISA KEV catalog (added 2025-01-14) and confirmed EU exploited status (since 2025-01-14) further confirm in-the-wild abuse.
Key lessons:
- Authentication must be enforced at every entry point — Even auxiliary modules like WebSocket handlers require the same rigorous authentication as primary login flows.
- Emergency patching is justified by data — When EPSS exceeds 0.95 and KEV confirmation exists, the risk of waiting for a standard maintenance window far exceeds the risk of an emergency change.
References
Frequently asked questions
- What is CVE-2024-55591?
- An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
- How severe is CVE-2024-55591?
- CVE-2024-55591 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-55591 being actively exploited?
- Yes. CVE-2024-55591 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-01-14, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-55591?
- CVE-2024-55591 primarily affects Fortinet Fortiproxy. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-55591?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-55591 have an EU (EUVD) identifier?
- Yes. CVE-2024-55591 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52819. It is also flagged as exploited in the EUVD (since 2025-01-14).
- When was CVE-2024-55591 published?
- CVE-2024-55591 was published on 2025-01-14 and last updated on 2026-06-17.
References
- https://fortiguard.fortinet.com/psirt/FG-IR-24-535
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55591
Affected products (2)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
- CVE-2024-23113 — Critical (CVSS 9.8): A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6,…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-288 vulnerabilities
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-20079 — Critical (CVSS 10.0): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an…
- CVE-2024-10081 — Critical (CVSS 10.0): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.…
- CVE-2024-2973 — Critical (CVSS 10.0): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or…