CVE-2024-55591: Fortinet FortiGate Authentication Bypass Zero-Day
A critical authentication bypass vulnerability in Fortinet FortiOS and FortiProxy allows an unauthenticated remote attacker to gain super-admin privileges via crafted Node.js websocket module requests. CVSS 9.6. Exploited by threat actors since November 2024 before disclosure.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-55591 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-288: Authentication Bypass |
| Published | January 14, 2025 |
| Exploitation | Active — CISA KEV listed |
What Is CVE-2024-55591?
CVE-2024-55591 is an authentication bypass vulnerability in Fortinet's FortiOS operating system (which powers FortiGate firewalls) and FortiProxy web gateway. The vulnerability arises from improper authentication handling in the management interface's Node.js-based websocket module.
An unauthenticated attacker who can reach the FortiGate management interface can craft a specially formatted websocket request that bypasses authentication entirely, granting them super-administrator access. With super-admin access, attackers can modify firewall rules, create new admin accounts, extract VPN credentials, and pivot into protected network segments.
🚨 Zero-Day Exploitation Timeline
Arctic Wolf researchers identified exploitation campaigns beginning in November 2024 — approximately two months before Fortinet publicly disclosed the vulnerability. During this window, thousands of FortiGate devices were compromised. Post-exploitation activity included creation of local admin accounts with randomized names, modification of SSL VPN settings to enable unauthorized remote access, and exfiltration of firewall configurations.
Affected Products
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiOS | 7.0.0 – 7.0.16 | 7.0.17+ |
| FortiOS | 7.2.0 – 7.2.10 | 7.2.11+ |
| FortiProxy | 7.0.0 – 7.0.19 | 7.0.20+ |
| FortiProxy | 7.2.0 – 7.2.12 | 7.2.13+ |
Technical Analysis
The FortiOS management interface exposes a web UI and API on port 443 (and sometimes 8443). The Node.js websocket module that handles certain real-time management functions contains an authentication check that can be bypassed by sending requests with a specific crafted header combination that the authentication middleware incorrectly interprets as already-validated.
# Proof-of-concept request structure (sanitized)
GET /api/v2/cmdb/system/admin HTTP/1.1
Host: fortigate.target.com
Upgrade: websocket
Connection: Upgrade
X-Forwarded-For: 127.0.0.1
[crafted auth bypass headers]
# Successful bypass returns full admin API access
HTTP/1.1 200 OK
{"results": [{"name":"admin","accprofile":"super_admin",...}]}
Observed Post-Exploitation Activity
Arctic Wolf and Fortinet's incident response teams documented consistent post-exploitation patterns:
- Creation of new local admin accounts (often 6-8 character random strings)
- Addition of attacker-controlled SSL VPN portals to the management interface
- Modification of VPN tunnel settings to allow split tunneling into corporate networks
- Export of firewall policy configurations to enumerate internal network topology
- Installation of persistent access via modified boot configuration
Detection
FortiGate Log Review
# Check for unexpected admin account creation get system admin | grep -A5 "edit " # Review recent login events for anomalies execute log filter category 1 execute log filter field action login execute log display # Check for unauthorized VPN portal additions show vpn ssl settings | grep -i "tunnel-mode\|host\|realm"
Indicators of Compromise
- Admin accounts with random-looking names (e.g.,
Gujd,Trca) - New VPN portals added to the SSL VPN configuration
- Unexpected firewall policy changes in logs
- WebSocket connections to
/api/v2/endpoints without prior authentication
Mitigation
- Patch immediately: Upgrade to FortiOS 7.0.17+, 7.2.11+, or FortiProxy 7.0.20+, 7.2.13+
- Disable HTTP/HTTPS management access: Use
config system interface / set allowaccess ping sshand removehttpsfrom internet-facing interfaces - Restrict management access by source IP: Use trusted host configuration to limit management to specific admin IPs
- Audit admin accounts: Remove any unexpected accounts and rotate all admin credentials
- Review VPN configuration: Verify no unauthorized portals or tunnels were added
- Enable logging to SIEM: Ensure all management events are forwarded to centralized logging
💡 Management Interface Exposure: Fortinet estimates that approximately 150,000 FortiGate devices have their management interface exposed to the internet. This configuration is explicitly not recommended by Fortinet. If you haven't yet restricted management access, do so immediately regardless of patch status.
KENSAI Detection Capability
- External exposure detection: KENSAI identifies internet-facing FortiGate management interfaces and flags CVE-2024-55591 vulnerable version ranges
- Safe authentication probe: Non-destructive test confirms authentication bypass without creating accounts or modifying configurations
- Asset inventory: Comprehensive mapping of all Fortinet devices in your attack surface
- Compromise indicators: Post-exploitation IOC detection via log analysis integration
- Remediation validation: Automated re-scan confirms patch application and management interface restriction
Is Your FortiGate Management Interface Exposed?
KENSAI instantly identifies internet-facing FortiGate and FortiProxy management interfaces vulnerable to CVE-2024-55591. No agents, no credentials required.
Scan Your Attack Surface →