CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.
Update February 11: The blog has been updated to include a new CVE issued by Fortinet, CVE-2025-24472
Background
On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2024-55591 | FortiOS and FortiProxy Authentication Bypass Vulnerability | 9.6 |
On February 11, Fortinet updated their advisory to include an additional CVE, CVE-2025-24472. The description of the vulnerability itself was updated to include a new attack vector and the additional CVE was assigned a lower CVSSv3 score of 8.1.
Analysis
CVE-2024-55591 and CVE-2025-24472 are authentication bypass vulnerabilities in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit these vulnerabilities by sending a specially crafted request to a Node.js websocket module or by sending specially crafted CSF proxy requests. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According the Fortinet, CVE-2024-55591 has been exploited in the wild.
In the update to their advisory on February 11, Fortinet credited Sonny of watchTowr for reporting CVE-2025-24472, the newly added CVE to their February 11 update.
Zero Day Campaign May Have Been Active Since November
Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.
At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.
Historical exploitation of Fortinet FortiOS and FortiProxy
Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:
Proof of concept
At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.
Solution
Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| FortiOS 7.0 | 7.0.0 through 7.0.16 | Upgrade to 7.0.17 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.19 | Upgrade to 7.0.20 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:
| Affected Product(s) | Vulnerability Description | Security Advisory | CVSSv3/Severity |
|---|---|---|---|
| FortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTester | An externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requests | FG-IR-23-494 | 4.1 / Medium |
| FortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASE | An unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication. | FG-IR-24-221 | 8.0 / High |
| FortiOS | An authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition. | FG-IR-24-250 | 4.8 / Medium |
| FortiOS | An authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal. | FG-IR-23-473 | 6.2 / Medium |
| FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWeb | A path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files. | FG-IR-24-259 | 7.1 / High |
| FortiOS | An unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition. | FG-IR-24-373 | 3.5 / Low |
| FortiOS | An unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition. | FG-IR-24-266 | 7.5 / High |
| FortiOS | An authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities. | FG-IR-23-293 | 6.4 / Medium |
| FortiOS | An unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads. | FG-IR-24-219 | 7.1 / High |
| FortiOS | An authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition. | FG-IR-24-267 | 3.2 / Low |
| FortiOS | An authenticated attacker may be able to exploit an improper access control vulnerability. | FG-IR-23-407 | 4.7 / Medium |
| FortiOS, FortiProxy and FortiSASE | An unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASE | FG-IR-24-282 | 6.4 / Medium |
| FortiOS | An unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information. | FG-IR-24-326 | 3.5 / Low |
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-55591 and CVE-2025-24472 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:
Change Log
Update February 11: The blog has been updated to include a new CVE issued by Fortinet, CVE-2025-24472
Get more information
- Fortinet FG-IR-24-535 Security Advisory
- Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related articles
Frequently Asked Questions About DeepSeek Large Language Model (LLM)
The open-source LLM known as DeepSeek has attracted much attention in recent weeks with the release of DeepSeek V3 and DeepSeek R1, and in this blog, The Tenable Security Response Team answers some of the frequently asked questions (FAQ) about it....
Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)
Microsoft addresses 55 CVEs with three rated critical and four zero-day vulnerabilities, including two that were exploited in the wild....
Tenable Supercharges Exposure Management with Acquisition of Vulcan Cyber
Vulcan brings more than 100 additional third-party integrations and enhanced remediation workflows to the Tenable One Exposure Management Platform, enabling organizations to prioritize their security risk based on contextualized and enriched intelligence....
- Exposure Management
- Vulnerability Management
- Exposure Management