9.8
CVE-2024-55591
- EPSS 94.18%
- Veröffentlicht 14.01.2025 14:15:34
- Zuletzt bearbeitet 23.01.2025 02:00:02
- Quelle psirt@fortinet.com
- Teams Watchlist Login
- Unerledigt Login
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fortinet ≫ Fortiproxy Version >= 7.0.0 < 7.0.20
Fortinet ≫ Fortiproxy Version >= 7.2.0 < 7.2.13
14.01.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
SchwachstelleFortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
BeschreibungApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.18% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| psirt@fortinet.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.