CVE-2024-55591: Authentication bypass in Node.js websocket module
First published: Tue Jan 14 2025(Updated: )
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Please note that reports show this is being exploited in the wild.
Credit: psirt@fortinet.com psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiOS | >=7.0.0<=7.0.16 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.12 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.19 | |
| Fortinet FortiProxy | >=7.0.0<7.0.20 | |
| Fortinet FortiProxy | >=7.2.0<7.2.13 | |
| Fortinet FortiOS | >=7.0.0<7.0.17 | |
| Fortinet FortiOS and FortiProxy |
Remedy
Please upgrade to FortiOS version 7.0.17 or above Please upgrade to FortiProxy version 7.2.13 or above Please upgrade to FortiProxy version 7.0.20 or above
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.fortiguard.com/psirt/cvrf/FG-IR-24-535
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://fortiguard.fortinet.com/psirt/FG-IR-24-535
- https://nvd.nist.gov/vuln/detail/CVE-2024-55591
- https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web
- https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-auth-bypass-zero-day-exploited-to-hijack-firewalls/
- https://www.theregister.com/2025/01/21/fortinet_firewalls_still_vulnerable/
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/fortiguard-psirt
- source/FortiGuard
- alias/CVE-2024-55591
- agent/software-canonical-lookup
- agent/title
- agent/remedy
- agent/description
- agent/author
- collector/fortiguard-psirt-latest
- collector/nvd-api
- source/NVD
- agent/softwarecombine
- collector/darkreading
- source/Dark Reading
- alias/CVE-2022-40684
- alias/CVE-2018-13379
- collector/the-register
- source/The Register
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2023-37936
- alias/CVE-2024-47575
- collector/nvd-cve
- agent/severity
- agent/source
- agent/references
- agent/event
- agent/trending
- agent/news-ai
- zeroday/true
- exploited/true
- agent/tags
- collector/cisa-known-exploited
- source/CISA
- vendor/fortinet
- canonical/fortinet fortios
- version/fortinet fortios/7.0.0
- version/fortinet fortios/7.0.16
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.12
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.19
- canonical/fortinet fortios and fortiproxy