A critical authentication vulnerability in Fortinet’s FortiGate SSL VPN appliance tracked as CVE-2024-55591, has been weaponized in active attacks.
Threat actors have exploited this vulnerability to gain super-admin privileges, bypassing the authentication mechanism, and compromising devices globally.
Cybersecurity experts warn organizations using vulnerable Fortinet systems to patch immediately to prevent catastrophic breaches.
The vulnerability resides in FortiOS’s JS console functionality, which provides administrators with a CLI (Command Line Interface) console via a web-based GUI.
A critical flaw in this feature allows attackers to establish unauthorized WebSocket connections and bypass authentication layers to gain access to an all-powerful CLI.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
What makes CVE-2024-55591 particularly dangerous is that it chains multiple issues:
The exploit’s power lies in creating a backdoor super-admin account unnoticed post-attack.
Compromising a FortiGate device often translates to unrestricted access to corporate networks, enabling attackers to launch ransomware, exfiltrate sensitive data, and spread laterally across an organization.
Arctic Wolf’s investigation revealed Indicators of Compromise (IoCs) with adversaries leveraging the CLI to execute privileged commands stealthily.
Logs show exploitation attempts targeting /ws/cli/open endpoints via WebSockets, marking the attack as deliberate and precise.
Shadowserver Foundation, monitoring global FortiGate deployments, reported at least 50,000 exposed and vulnerable systems still online as of January 2025. This highlights the urgency for organizations to patch affected systems.
Technical Insights into CVE-2024-55591
Upon reviewing Fortinet’s advisory and analyzing the vulnerable code, researchers identified that the flaw exists primarily in how dispatch() authenticates WebSocket connections. During the attack:
Using this exploit:
According to the WatchTowr report, Fortinet acknowledged the vulnerability in a public advisory, urging customers to apply patches for affected versions of FortiOS and FortiProxy.
The advisory states: “An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] may allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js WebSocket module.”
Mitigation Steps:
Security researchers have emphasized the need for manufacturers to adopt stringent testing and minimize reliance on monolithic architectures like Fortinet’s Node.js implementation, which can harbor latent, high-impact vulnerabilities.
For now, organizations relying on FortiGate appliances are advised to patch promptly and conduct thorough security audits of their networks. As always, prevention begins with vigilance.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…