9.8

CVE-2024-55591

Warnung
Medienbericht
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FortinetFortiProxy Version >= 7.0.0 < 7.0.20
FortinetFortiProxy Version >= 7.2.0 < 7.2.13
FortinetFortiOS Version >= 7.0.0 < 7.0.17

14.01.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

Schwachstelle

Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 98.26% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
psirt@fortinet.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
11.06.2026 19:13
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
19.03.2026 15:51
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:20
https://fortiguard.fortinet.com/psirt/FG-IR-24-535
Vendor Advisory
Mitigation
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55591
US Government Resource