Fortinet FortiOS / FortiProxy Authentication Bypass (CVE-2024-55591)
by watchTowr Labs (Sonny) · 2026-05-16
- Severity
- Critical
- CVE
- CVE-2024-55591
- Category
- web
- Affected product
- Fortinet FortiOS/FortiProxy management interfaces
- Affected versions
- FortiOS 7.0.0–7.0.16, FortiProxy 7.0.0–7.0.19, FortiProxy 7.2.0–7.2.12
- Disclosed
- 2026-05-16
- Patch status
- unpatched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-16 |
| Author / Researcher | watchTowr Labs (Sonny) |
| CVE / Advisory | CVE-2024-55591 |
| Category | web |
| Severity | Critical |
| CVSS Score | 9.6 (CVSSv3) |
| Status | Weaponized |
| Tags | auth-bypass, websocket, race-condition, FortiOS, FortiProxy, unauthenticated, super-admin |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Fortinet FortiOS/FortiProxy management interfaces |
| Versions Affected | FortiOS 7.0.0–7.0.16, FortiProxy 7.0.0–7.0.19, FortiProxy 7.2.0–7.2.12 |
| Language / Platform | FortiOS/FortiProxy appliance web management plane (HTTP/HTTPS + WebSocket) |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2024-55591 is an authentication bypass in Fortinet management interfaces that can be abused over a crafted WebSocket workflow. The public PoC demonstrates racing WebSocket login-context traffic to gain effective super-admin CLI access without valid credentials. Public reporting and CISA KEV tracking indicate real-world exploitation as a zero-day, including creation of rogue admin users and firewall configuration tampering.
Vulnerability Details
Root Cause
The bypass stems from flawed authentication enforcement in management-interface request handling where a local_access_token path can be reached during WebSocket CLI setup. By repeatedly sending crafted login context over /ws/cli/open, the PoC can win a race condition and enter privileged CLI context.
Attack Vector
An unauthenticated attacker with network access to the management interface first performs HTTP checks (/login?redir=/ng and /service-worker.js?local_access_token=...), then upgrades to WebSocket (/ws/cli/open?...&local_access_token=...) and brute-forces crafted frames until privileged command execution succeeds.
Impact
Successful exploitation enables unauthorized administrative command execution on affected devices. Practical impact includes full security-device takeover actions such as rogue admin account creation, policy/routing tampering, and persistence on perimeter infrastructure.
Environment / Lab Setup
OS: Linux/macOS/Windows attacker host with Python 3
Target: Authorized FortiOS/FortiProxy management interface in vulnerable range
Attacker: Security testing workstation
Tools: Python 3, requests
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Validate authorized target scope and identify a reachable FortiOS/FortiProxy management endpoint.
1ping <target-host>Run pre-flight checks + exploitation flow with the included PoC.
1 2 3 4 5 6python3 CVE-2024-55591-PoC.py \ --host <target-host> \ --port 443 \ --ssl \ --user watchTowr \ --command "get system status"Confirm privileged command output in returned CLI session data.
1# expected command response includes system/version fields from target
Exploit Code
See
CVE-2024-55591-PoC.pyin this folder.
| |
Expected Output
[*] Target is confirmed as vulnerable to CVE-2024-55591, proceeding with exploitation
Output from server: ..."super_admin"...
FAKESERIAL # get system status
Version: FortiGate-VM64-AWS v7.0.16,build0667,241001 (GA.M)
Screenshots / Evidence
screenshots/— add authorized captures of exploitation output and CLI command execution
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert http any any -> $HOME_NET 443 (
msg:"Possible FortiOS/FortiProxy CVE-2024-55591 exploitation attempt";
content:"/ws/cli/open"; http_uri;
content:"local_access_token="; http_uri;
sid:952455591; rev:1;
)
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Fortinet fixes from FG-IR-24-535 for impacted FortiOS/FortiProxy branches |
| Workaround | Restrict management-plane exposure to trusted admin networks and VPN-only access |
| Config Hardening | Monitor and alert on suspicious WebSocket management activity and unexpected admin creation |
References
- CVE-2024-55591 — NVD
- Fortinet PSIRT Advisory FG-IR-24-535
- CISA Known Exploited Vulnerabilities Catalog
- Source Repository — watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591
Notes
Auto-ingested from https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591 on 2026-05-16.
| |