Actively exploited in the wild
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet - FortiOS and FortiProxy · Listed in the CISA KEV since 2025-01-14. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2024-55591
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile - higher than 100% of all known CVEs
Summary
An authentication bypass vulnerability in FortiOS and FortiProxy using an alternate path or channel. A remote attacker can gain super-admin privileges by sending crafted requests to the Node.js websocket module.
Risk Assessment
Risk of full device compromise by an unauthenticated remote attacker, potentially leading to breach of confidentiality, integrity, and availability of the entire network.
Recommendation
Immediately upgrade FortiOS to version 7.0.17 or later and FortiProxy to version 7.0.20 or 7.2.13. If patching is not possible, restrict management interface access to trusted IP addresses only.
Original NVD description (English source)
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

