CVE-2024-55591 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Fortinet FortiOS Authorization Bypass Vulnerability

Exploit added

January 14, 2025

Action due

January 21, 2025

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Weakness Enumeration

CWE-ID	CWE Name
CWE-288	Authentication Bypass Using an Alternate Path or Channel

Known Affected Software Configurations

cpe:2.3:a:fortinet:fortiproxy:7.0.18:::::::*
cpe:2.3:o:fortinet:fortios:7.0.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.16:::::::*
cpe:2.3:o:fortinet:fortios:6.0.18:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.10:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.17:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.2:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.13:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.6:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.13:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.12:::::::*
cpe:2.3:o:fortinet:fortios:7.2.8:::::::*
cpe:2.3:o:fortinet:fortios:7.4.1:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.8:::::::*
cpe:2.3:o:fortinet:fortios:7.2.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.9:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.3:::::::*
cpe:2.3:o:fortinet:fortios:7.0.13:::::::*
cpe:2.3:o:fortinet:fortios:7.0.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.14:::::::*
cpe:2.3:o:fortinet:fortios:7.4.3:::::::*
cpe:2.3:o:fortinet:fortios:7.2.6:::::::*
cpe:2.3:o:fortinet:fortios:6.2.16:::::::*
cpe:2.3:o:fortinet:fortios:6.4.15:::::::*
cpe:2.3:o:fortinet:fortios:7.4.2:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.1:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.0:::::::*
cpe:2.3:o:fortinet:fortios:7.4.0:::::::*
cpe:2.3:o:fortinet:fortios:6.4.14:::::::*
cpe:2.3:o:fortinet:fortios:6.2.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.5:::::::*
cpe:2.3:o:fortinet:fortios:7.0.12:::::::*
cpe:2.3:o:fortinet:fortios:7.2.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.10:::::::*
cpe:2.3:o:fortinet:fortios:6.0.17:::::::*
cpe:2.3:o:fortinet:fortios:6.2.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.3:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.9:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.12:::::::*
cpe:2.3:o:fortinet:fortios:6.4.13:::::::*
cpe:2.3:o:fortinet:fortios:7.0.11:::::::*
cpe:2.3:o:fortinet:fortios:7.0.10:::::::*
cpe:2.3:o:fortinet:fortios:6.4.12:::::::*
cpe:2.3:o:fortinet:fortios:7.0.9:::::::*
cpe:2.3:o:fortinet:fortios:6.2.13:::::::*
cpe:2.3:o:fortinet:fortios:6.0.16:::::::*
cpe:2.3:o:fortinet:fortios:6.0.15:::::::*
cpe:2.3:o:fortinet:fortios:6.4.11:::::::*
cpe:2.3:o:fortinet:fortios:7.2.3:::::::*
cpe:2.3:o:fortinet:fortios:7.2.4:::::::*
cpe:2.3:o:fortinet:fortios:7.0.8:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.2:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.8:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.1:::::::*
cpe:2.3:o:fortinet:fortios:6.2.12:::::::*
cpe:2.3:o:fortinet:fortios:6.4.10:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.6:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.8:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.9:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.10:::::::*
cpe:2.3:a:fortinet:fortiproxy:1.2.12:::::::*
cpe:2.3:a:fortinet:fortiproxy:1.2.13:::::::*
cpe:2.3:o:fortinet:fortios:7.2.2:::::::*
cpe:2.3:o:fortinet:fortios:7.0.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.3:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.6:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.0:::::::*
cpe:2.3:o:fortinet:fortios:7.2.1:::::::*
cpe:2.3:o:fortinet:fortios:7.2.0:::::::*
cpe:2.3:o:fortinet:fortios:7.0.6:::::::*
cpe:2.3:o:fortinet:fortios:7.0.5:::::::*
cpe:2.3:o:fortinet:fortios:6.2.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.1:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.2:::::::*
cpe:2.3:o:fortinet:fortios:7.0.4:::::::*
cpe:2.3:o:fortinet:fortios:7.0.3:::::::*
cpe:2.3:o:fortinet:fortios:6.4.8:::::::*
cpe:2.3:o:fortinet:fortios:6.4.9:::::::*
cpe:2.3:o:fortinet:fortios:6.0.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.0:::::::*
cpe:2.3:a:fortinet:fortiproxy:1.2.11:::::::*
cpe:2.3:o:fortinet:fortios:6.4.7:::::::*
cpe:2.3:o:fortinet:fortios:7.0.2:::::::*
cpe:2.3:o:fortinet:fortios:6.2.10:::::::*
cpe:2.3:o:fortinet:fortios:7.0.0:::::::*
cpe:2.3:o:fortinet:fortios:6.4.6:::::::*
cpe:2.3:o:fortinet:fortios:6.2.6:::::::*

Details

Source:
NVD

Published:
January 14, 2025

Updated:
January 15, 2025

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined