CVE-2024-55591 Overview
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Critical Impact
Remote attackers can gain unauthorized super-admin access, compromising system integrity and confidentiality.
Affected Products
- Fortinet FortiOS (7.0.0 - 7.0.16)
- Fortinet FortiProxy (7.0.0 - 7.0.19)
- Fortinet FortiProxy (7.2.0 - 7.2.12)
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Fortinet
- Not Available - CVE CVE-2024-55591 assigned
- Not Available - Fortinet releases security patch
- 2025-01-14T14:15:34.450 - CVE CVE-2024-55591 published to NVD
- 2025-10-24T12:54:28.963 - Last updated in NVD database
Technical Details for CVE-2024-55591
Vulnerability Analysis
The vulnerability exploits a flaw in the authentication mechanism used by the Node.js websocket module in FortiOS and FortiProxy. By sending specially crafted requests, attackers can bypass typical authentication paths and gain elevated privileges.
Root Cause
The issue arises from an alternate path not being validated properly, allowing unauthorized access.
Attack Vector
The attack can be conducted over the network by remote attackers with no prior access, allowing them to send crafted websocket requests.
// Example exploitation code (sanitized)
const WebSocket = require('ws');
const socket = new WebSocket('ws://vulnerable.example.com');
socket.on('open', function open() {
const payload = JSON.stringify({"bypass_auth": true});
socket.send(payload);
});
Detection Methods for CVE-2024-55591
Indicators of Compromise
- Unusual activity in super-admin logs
- Unexpected websocket communications
- Altered system configurations
Detection Strategies
Employ anomaly detection focusing on websocket connections and authenticate logs to identify potential bypass attempts.
Monitoring Recommendations
Configure SIEM systems to alert on unauthorized super-admin access and integrate with security solutions like SentinelOne for comprehensive monitoring and response.
How to Mitigate CVE-2024-55591
Immediate Actions Required
- Apply patches provided by Fortinet immediately.
- Monitor logs for unusual activity around websocket connections.
- Restrict network access to known and trusted entities.
Patch Information
Fortinet has released patches in advisory FG-IR-24-535 for affected products.
Workarounds
Implement network-level filtering to restrict access to the vulnerable Node.js service.
# Configuration example
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
