Critical CVE-2024-55591 January 2026 · 7 min read

CVE-2024-55591: Fortinet FortiGate Authentication Bypass Zero-Day

A critical authentication bypass vulnerability in Fortinet FortiOS and FortiProxy allows an unauthenticated remote attacker to gain super-admin privileges via crafted Node.js websocket module requests. CVSS 9.6. Exploited by threat actors since November 2024 before disclosure.


9.6
CRITICAL
AttributeValue
CVE IDCVE-2024-55591
CVSS VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWECWE-288: Authentication Bypass
PublishedJanuary 14, 2025
ExploitationActive — CISA KEV listed

What Is CVE-2024-55591?

CVE-2024-55591 is an authentication bypass vulnerability in Fortinet's FortiOS operating system (which powers FortiGate firewalls) and FortiProxy web gateway. The vulnerability arises from improper authentication handling in the management interface's Node.js-based websocket module.

An unauthenticated attacker who can reach the FortiGate management interface can craft a specially formatted websocket request that bypasses authentication entirely, granting them super-administrator access. With super-admin access, attackers can modify firewall rules, create new admin accounts, extract VPN credentials, and pivot into protected network segments.

🚨 Zero-Day Exploitation Timeline

Arctic Wolf researchers identified exploitation campaigns beginning in November 2024 — approximately two months before Fortinet publicly disclosed the vulnerability. During this window, thousands of FortiGate devices were compromised. Post-exploitation activity included creation of local admin accounts with randomized names, modification of SSL VPN settings to enable unauthorized remote access, and exfiltration of firewall configurations.

Affected Products

ProductAffected VersionsFixed Version
FortiOS7.0.0 – 7.0.167.0.17+
FortiOS7.2.0 – 7.2.107.2.11+
FortiProxy7.0.0 – 7.0.197.0.20+
FortiProxy7.2.0 – 7.2.127.2.13+

Technical Analysis

The FortiOS management interface exposes a web UI and API on port 443 (and sometimes 8443). The Node.js websocket module that handles certain real-time management functions contains an authentication check that can be bypassed by sending requests with a specific crafted header combination that the authentication middleware incorrectly interprets as already-validated.

# Proof-of-concept request structure (sanitized)
GET /api/v2/cmdb/system/admin HTTP/1.1
Host: fortigate.target.com
Upgrade: websocket
Connection: Upgrade
X-Forwarded-For: 127.0.0.1
[crafted auth bypass headers]

# Successful bypass returns full admin API access
HTTP/1.1 200 OK
{"results": [{"name":"admin","accprofile":"super_admin",...}]}

Observed Post-Exploitation Activity

Arctic Wolf and Fortinet's incident response teams documented consistent post-exploitation patterns:

Detection

FortiGate Log Review

# Check for unexpected admin account creation
get system admin | grep -A5 "edit "

# Review recent login events for anomalies
execute log filter category 1
execute log filter field action login
execute log display

# Check for unauthorized VPN portal additions
show vpn ssl settings | grep -i "tunnel-mode\|host\|realm"

Indicators of Compromise

Mitigation

  1. Patch immediately: Upgrade to FortiOS 7.0.17+, 7.2.11+, or FortiProxy 7.0.20+, 7.2.13+
  2. Disable HTTP/HTTPS management access: Use config system interface / set allowaccess ping ssh and remove https from internet-facing interfaces
  3. Restrict management access by source IP: Use trusted host configuration to limit management to specific admin IPs
  4. Audit admin accounts: Remove any unexpected accounts and rotate all admin credentials
  5. Review VPN configuration: Verify no unauthorized portals or tunnels were added
  6. Enable logging to SIEM: Ensure all management events are forwarded to centralized logging

💡 Management Interface Exposure: Fortinet estimates that approximately 150,000 FortiGate devices have their management interface exposed to the internet. This configuration is explicitly not recommended by Fortinet. If you haven't yet restricted management access, do so immediately regardless of patch status.

KENSAI Detection Capability

Is Your FortiGate Management Interface Exposed?

KENSAI instantly identifies internet-facing FortiGate and FortiProxy management interfaces vulnerable to CVE-2024-55591. No agents, no credentials required.

Scan Your Attack Surface →

Related Articles

Valse VS Code-waarschuwingen misbruiken GitHub, Nederlandse Politie gehackt via EU-Parlement vereenvoudigt AI-wet, stopt CSAM-scanning, NIS2-kloven, DORA-bankre Exploração massiva do Next.js React2Shell compromete 766 hosts, Drift Protocol p