CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.
Background
On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2024-55591 | FortiOS and FortiProxy Authentication Bypass Vulnerability | 9.6 |
Analysis
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.
Zero Day Campaign May Have Been Active Since November
Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.
At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.
Historical exploitation of Fortinet FortiOS and FortiProxy
Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:
Proof of concept
At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.
Solution
Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| FortiOS 7.0 | 7.0.0 through 7.0.16 | Upgrade to 7.0.17 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.19 | Upgrade to 7.0.20 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:
| Affected Product(s) | Vulnerability Description | Security Advisory | CVSSv3/Severity |
|---|---|---|---|
| FortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTester | An externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requests | FG-IR-23-494 | 4.1 / Medium |
| FortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASE | An unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication. | FG-IR-24-221 | 8.0 / High |
| FortiOS | An authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition. | FG-IR-24-250 | 4.8 / Medium |
| FortiOS | An authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal. | FG-IR-23-473 | 6.2 / Medium |
| FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWeb | A path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files. | FG-IR-24-259 | 7.1 / High |
| FortiOS | An unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition. | FG-IR-24-373 | 3.5 / Low |
| FortiOS | An unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition. | FG-IR-24-266 | 7.5 / High |
| FortiOS | An authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities. | FG-IR-23-293 | 6.4 / Medium |
| FortiOS | An unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads. | FG-IR-24-219 | 7.1 / High |
| FortiOS | An authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition. | FG-IR-24-267 | 3.2 / Low |
| FortiOS | An authenticated attacker may be able to exploit an improper access control vulnerability. | FG-IR-23-407 | 4.7 / Medium |
| FortiOS, FortiProxy and FortiSASE | An unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASE | FG-IR-24-282 | 6.4 / Medium |
| FortiOS | An unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information. | FG-IR-24-326 | 3.5 / Low |
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:
Get more information
- Fortinet FG-IR-24-535 Security Advisory
- Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related articles
Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
Microsoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available....
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
Ivanti disclosed two vulnerabilities in its Connect Secure, Policy Secure and Neurons for ZTA gateway devices, including one flaw that was exploited in the wild as a zero-day....
Choosing the Right CNAPP: Six Considerations for Mid-Sized Enterprises
Mid-sized enterprises increasingly find themselves in need of a CNAPP, as their cloud adoption matures. But how should they go about selecting the right one? What questions should they ask and what criteria should they use? Here we unpack six key considerations that’ll help them evaluate their optio...
- Exposure Management
- Vulnerability Management
- Exposure Management