Cyber Resilience

CVE-2024-55591

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 14 January 2025

Published
14 January 2025
Modified
24 October 2025
KEV Added
14 January 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9412 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55591 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2024-55591 is an authentication bypass vulnerability (CWE-288) that affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 as well as 7.2.0 through 7.2.12. The flaw resides in the Node.js websocket module and permits remote attackers to circumvent normal authentication controls through specially crafted requests.

A remote attacker with no prior credentials or user interaction can send crafted websocket requests to obtain super-admin privileges on the affected device, resulting in full control over the system with impacts to confidentiality, integrity, and availability.

Fortinet has published advisory FG-IR-24-535 detailing the issue, and CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

The EPSS score has reached a peak of 0.9420 with a current value of 0.9412, indicating sustained high exploitation interest following disclosure.

EU & UK References

Vulnerability details

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js…

more

websocket module.

CWE(s)
KEV Date Added
14 January 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing FortiOS/FortiProxy management interface (websocket) directly enables remote exploitation for initial access and admin privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24472Same product: Fortinet Fortiosboth on KEV
CVE-2024-26009Same product: Fortinet Fortios
CVE-2026-24858Same product: Fortinet Fortiosboth on KEV
CVE-2025-59718Same product: Fortinet Fortiosboth on KEV
CVE-2024-26006Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2024-45324Same product: Fortinet Fortios
CVE-2026-22153Same product: Fortinet Fortios
CVE-2025-25249Same product: Fortinet Fortios

Affected Assets

fortinet
fortiproxy
7.0.0 — 7.0.20 · 7.2.0 — 7.2.13
fortinet
fortios
7.0.0 — 7.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and patching of software flaws such as CVE-2024-55591, directly preventing authentication bypass exploitation in the Node.js websocket module.

prevent

SI-5 mandates monitoring and response to security alerts, advisories, and directives like CISA KEV catalog and Fortinet FG-IR-24-535, enabling proactive patching of this vulnerability.

detect

RA-5 vulnerability scanning detects the presence of CVE-2024-55591 in vulnerable FortiOS and FortiProxy versions, supporting remediation to block remote super-admin privilege escalation.

References