CVE Catalog

Actively exploited in the wild

Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

Fortinet - FortiOS and FortiProxy · Listed in the CISA KEV since 2025-01-14. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2024-55591

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
98.26%

100th percentile - higher than 100% of all known CVEs

Summary

An authentication bypass vulnerability in FortiOS and FortiProxy using an alternate path or channel. A remote attacker can gain super-admin privileges by sending crafted requests to the Node.js websocket module.

Risk Assessment

Risk of full device compromise by an unauthenticated remote attacker, potentially leading to breach of confidentiality, integrity, and availability of the entire network.

Recommendation

Immediately upgrade FortiOS to version 7.0.17 or later and FortiProxy to version 7.0.20 or 7.2.13. If patching is not possible, restrict management interface access to trusted IP addresses only.

Original NVD description (English source)

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS