9.8
CVE-2024-55591
- EPSS 94.18%
- Published 14.01.2025 14:15:34
- Last modified 23.01.2025 02:00:02
- Source psirt@fortinet.com
- Teams watchlist Login
- Open Login
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Data is provided by the National Vulnerability Database (NVD)
Fortinet ≫ Fortiproxy Version >= 7.0.0 < 7.0.20
Fortinet ≫ Fortiproxy Version >= 7.2.0 < 7.2.13
14.01.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
VulnerabilityFortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
DescriptionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.18% | 0.999 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| psirt@fortinet.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.