CVE-2024-55591

CRITICAL KEV RANSOMWARE NUCLEI

FortiProxy 7.0.0-7.0.19 and 7.2.0-7.2.12 - Authentication Bypass via Node.js Websocket Module

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-55591 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 14, 2025, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including watchtowrlabs, sysirq, exfil0. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits an authentication bypass vulnerability (CVE-2024-55591) in Fortinet FortiOS by leveraging a WebSocket connection to execute arbitrary commands without proper authentication. It includes pre-flight checks to confirm vulnerability and establishes a WebSocket session to send crafted login contexts and commands.

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Exploits (9)

nomisec WORKING POC 76 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591

This PoC exploits an authentication bypass vulnerability (CVE-2024-55591) in Fortinet FortiOS by leveraging a WebSocket connection to execute arbitrary commands without proper authentication. It includes pre-flight checks to confirm vulnerability and establishes a WebSocket session to send crafted login contexts and commands.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiOS
No auth needed
Prerequisites: Network access to the FortiOS management interface · WebSocket connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 68 stars
by watchtowrlabs · poc
https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591

This repository contains a Python script that checks for the presence of CVE-2024-55591, an authentication bypass vulnerability in Fortinet FortiOS. The script performs HTTP requests to specific endpoints and validates response conditions to determine if the target is vulnerable.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, FortiProxy 7.2.0 through 7.2.12
No auth needed
Prerequisites: Network access to the FortiOS management interface · Target must be running a vulnerable version of FortiOS or FortiProxy
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 25 stars
by sysirq · infoleak
https://github.com/sysirq/fortios-auth-bypass-poc-CVE-2024-55591

This PoC demonstrates an authentication bypass vulnerability in Fortinet FortiOS via WebSocket manipulation, allowing unauthorized access to system logs. It establishes a WebSocket connection with a crafted token and subscribes to event logs without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiOS (version not explicitly specified, but likely 7.0.16 based on README)
No auth needed
Prerequisites: Network access to the target FortiOS device · WebSocket endpoint exposed on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 12 stars
by exfil0 · remote
https://github.com/exfil0/CVE-2024-55591-POC

This repository contains a Python-based Proof of Concept (PoC) for CVE-2024-55591, an authentication bypass vulnerability in Fortinet devices (FortiOS and FortiProxy). The script automates dependency installation, port scanning, vulnerability checks, and exploitation via WebSocket to gain privileged CLI access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FortiOS (7.0.0 to 7.0.16), FortiProxy (7.0.0 to 7.0.19, 7.2.0 to 7.2.12)
No auth needed
Prerequisites: Python 3.x · Network access to target device · Optional: Nmap for port scanning
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 8 stars
by virus-or-not · remote
https://github.com/virus-or-not/CVE-2024-55591

This PoC exploits CVE-2024-55591, an authentication bypass vulnerability in Fortinet's FortiOS and FortiProxy, allowing remote command execution via a WebSocket connection with a crafted payload.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FortiOS (7.0.0-7.0.16), FortiProxy (7.0.0-7.0.19, 7.2.0-7.2.12)
No auth needed
Prerequisites: Network access to target WebSocket endpoint · Valid admin username for payload crafting
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by sysirq · poc
https://github.com/sysirq/fortios-auth-bypass-exploit-CVE-2024-55591

This repository contains a Python-based exploit for CVE-2024-55591, an authentication bypass vulnerability in Fortinet FortiOS and FortiProxy. The exploit allows unauthenticated command execution via a WebSocket-based CLI interface.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiOS (7.0.0-7.0.16), FortiProxy (7.0.0-7.0.19, 7.2.0-7.2.12)
No auth needed
Prerequisites: Network access to the target device · WebSocket CLI service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by UMChacker · remote
https://github.com/UMChacker/CVE-2024-55591-POC

This is a functional PoC for CVE-2024-55591, an authentication bypass vulnerability in FortiOS that allows unauthenticated CLI access via WebSocket. It includes features for command execution, password resets, and interactive shell access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FortiOS (version not specified)
No auth needed
Prerequisites: Network access to FortiOS WebSocket endpoint · FortiOS GUI accessible on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github SUSPICIOUS
by binarywarm · pythonpoc
https://github.com/binarywarm/exp-cmd-add-admin-vpn-CVE-2024-55591

The repository claims to provide an exploit and scanner for CVE-2024-55591 (FortiOS authentication bypass) but lacks actual exploit code, instead pushing external downloads via SatoshiDisk. The README is vague and marketing-heavy, with no technical details or functional code.

Classification
Suspicious 95%
Attack Type
Auth Bypass
Complexity
Theoretical
Reliability
Theoretical
Target: FortiOS (7.4.0-7.4.2, 7.2.0-7.2.6)
No auth needed
Prerequisites: None specified, but likely requires network access to FortiOS management interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by 0x7556 · poc
https://github.com/0x7556/CVE-2024-55591

This repository provides a scanner for detecting CVE-2024-55591, an authentication bypass vulnerability in FortiGate and FortiProxy. It includes instructions for both single-target and batch scanning using the 1Scan tool.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, FortiProxy 7.2.0 through 7.2.12
No auth needed
Prerequisites: Network access to the target FortiGate/FortiProxy device
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Fortinet - Authentication Bypass
CRITICALVERIFIEDby rootxharsh,iamnoooob,pdresearch

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.9406
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-01-14
VulnCheck KEV 2025-01-14
ENISA EUVD EUVD-2024-52819
Ransomware Use Confirmed
CWE
CWE-288
Status published
Products (2)
fortinet/fortios 7.0.0 - 7.0.17
fortinet/fortiproxy 7.0.0 - 7.0.20
Published Jan 14, 2025
KEV Added Jan 14, 2025
Tracked Since Feb 18, 2026