CVE-2024-55591 An Authentication Bypass Using an Alternate Path or Channel vulnerability affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
CVE-2024-55591 is a critical authentication bypass vulnerability (CVSS 9.8) in Fortinet's FortiOS and FortiProxy, allowing attackers to remotely gain super-admin privileges via crafted requests to the Node.js WebSocket module. Actively exploited since November 2024, over 48,000 devices remain unpatched as of January 2025. This blog details exploitation tactics, detection methods, and mitigation steps.
In January 2025, Fortinet disclosed a critical authentication bypass vulnerability, CVE-2024-55591, affecting its flagship products FortiOS (used in FortiGate firewalls) and FortiProxy (a web security gateway). With a CVSS score of 9.8 (CRITICAL), this flaw allows attackers to remotely gain super-admin privileges without authentication, posing a severe risk to organizations globally. This blog breaks down the technical details, exploitation mechanisms, and mitigation strategies, while suggesting visuals to enhance reader understanding.
CVE-2024-55591 is an authentication bypass flaw in the Node.js WebSocket module of FortiOS and FortiProxy. Attackers exploit it by sending crafted requests to exposed administrative interfaces, bypassing authentication checks and gaining unrestricted access to device configurations.
By understanding the nature of these vulnerabilities and proactively addressing them, organizations can enhance their security posture and protect their systems from potential malicious attacks. This blog article aims to provide valuable insights into these vulnerabilities, enabling organizations to take the necessary steps to safeguard their infrastructure.
The vulnerability has been categorized as critical, with CVSS score 9.8 indicating their potential impact on affected systems.
The following versions are affected:
Fortinet has reported active exploitation of this vulnerability in the wild. Third parties have publicly disclosed proof of concept (POC) of the vulnerability, potentially increasing the risk of exploitation on vulnerable servers.
The vulnerability arises from an authentication bypass using an alternate path or channel (CWE-288) in the Node.js WebSocket module of FortiOS and FortiProxy. By sending specially crafted requests, attackers can bypass authentication mechanisms and obtain super-admin privileges, allowing them to execute commands, create administrative accounts, modify firewall policies, and establish SSL VPN tunnels to infiltrate internal networks.The vulnerability resides in the Node.js WebSocket module of FortiOS and FortiProxy. Attackers exploit weak validation of HTTP headers and session tokens to bypass authentication:
On the LetsDefend platform, you can practice by analyzing the latest zero-days in a realistic SOC environment. You can investigate and learn how attackers exploit vulnerabilities to gain unauthorized access and execute malicious code.
To protect against CVE-2024-55591, organizations should take the following steps:
Advanced Detection
CVE-2024-55591 poses a severe risk to organizations using unpatched FortiOS and FortiProxy devices. With attackers actively exploiting this flaw to establish persistence and exfiltrate data, immediate patching is critical. Organizations should:
By adopting these measures, businesses can mitigate the threat and safeguard their networks from future attacks.
Public shared IOCs can be found on Fortinet advisory FG-IR-24-535
Organizations should monitor their systems for any signs of these IoCs and take appropriate action if detected.References
.png)
.png)
