CVE-2024-55591

What is Fortinet FortiOS and FortiProxy?

Fortinet FortiOS is the operating system of FortiGate next-generation firewalls; FortiProxy is Fortinet's web proxy appliance. Both are widely deployed at enterprise perimeters, processing internet traffic and providing VPN access. See CVE-2025-24472 for the broader Fortinet authentication bypass context — CVE-2024-55591 is the earlier, more severe (CVSS 9.8) instance of the same vulnerability class in the same advisory (FG-IR-24-535).

Overview

CVE-2024-55591 is an authentication bypass vulnerability (CWE-288) in FortiOS and FortiProxy that allows an unauthenticated remote attacker to gain super-administrator privileges via crafted requests to the Node.js websocket module in the management interface. Exploited as a zero-day before January 14, 2025, CISA issued a 7-day emergency deadline — among the shortest under BOD 22-01 — reflecting active ransomware exploitation in progress at the time of disclosure. Arctic Wolf documented a campaign targeting FortiGate management interfaces for super-admin account creation and VPN backdooring.

Affected Versions

Technical Details

The authentication bypass (CWE-288) exploits the Node.js websocket module in the FortiOS/FortiProxy management interface. The management web GUI uses a websocket-based jsconsole interface; a crafted request to this interface bypasses authentication checks, granting the unauthenticated requester super-administrator access to the management API.

With super-admin access, attackers:

• Created new administrator accounts with super-admin privileges (for persistence)
• Modified SSL-VPN policies to add malicious configurations
• Extracted SSL-VPN configuration and user databases
• Disabled logging to hide intrusion activity

Relationship to CVE-2025-24472: Both share the same Fortinet advisory (FG-IR-24-535). CVE-2024-55591 (CVSS 9.8) is the original bypass via the Node.js websocket. CVE-2025-24472 (CVSS 8.1, Feb 2025) is a second bypass path via CSF proxy requests discovered after the January patch.

Discovery

Arctic Wolf researchers documented active exploitation beginning approximately December 2024 through January 2025, with a focused campaign targeting exposed FortiGate management interfaces. Fortinet released the patch on January 14, 2025 — the same day as the disclosure.

Exploitation Context

Active zero-day exploitation by financially motivated threat actors, with ransomware operations observed in downstream targets. Arctic Wolf documented the full attack lifecycle: authentication bypass → super-admin account creation → SSL-VPN user creation → network infiltration → lateral movement. The ransomwareUse: true flag reflects ransomware deployment in at least some confirmed exploitation chains.

The 7-day CISA deadline reflects that exploitation was ongoing at the time of disclosure, not merely potential future exploitation.

Remediation

1. Apply patches immediately per the version table above. The CISA deadline was January 21, 2025 — treat as emergency.
2. Disable internet access to the FortiOS management interface — the management GUI should never be internet-accessible. This is the primary mitigation.
3. Audit administrator accounts for unexpected new accounts created after December 2024.
4. Review SSL-VPN users and policies for unauthorized additions.
5. Check logs for Node.js websocket requests from external IP addresses to the management interface before patching.
6. Apply the subsequent CVE-2025-24472 patch — a second bypass was discovered and patched in February 2025 in the same advisory.