CVE-2024-55591 is a critical privilege escalation vulnerability affecting FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. It allows an unauthenticated, remote attacker to gain superadministrator privileges by sending specially crafted requests to the Node.js WebSocket module.
This vulnerability has been actively exploited since November 2024, potentially affecting tens of thousands of internet-facing devices. Attackers were able to modify firewall configurations, create new administrative accounts, and access sensitive information.
Fortinet has released patches for the vulnerable versions:
- FortiOS:
- Update to version 7.0.17 or later.
- FortiProxy:
- Update to version 7.0.20 or later.
- For versions 7.2.0 through 7.2.12, update to version 7.2.13 or later.
It is recommended that you apply these updates as soon as possible to mitigate the risks associated with this vulnerability.
Added ONYPHE detection
This detection was added on February 14, 2025 in our engine.
Detection method
Currently, we only detect CVE-2024-55591 with a direct reliable check. If we find the device to be vulnerable to this CVE, we also flag the device as vulnerable to CVE-2025-24472 as both have been fixed with the same patch. However, we don’t have a direct way to identify CVE-2025-24472.
Thus, when we determine the device to be vulnerable to CVE-2024-55591, we also consider it to be vulnerable to CVE-2025-24472.
However, when we determine the device to be NOT vulnerable to CVE-2024-55591 we have no way of establishing the presence, or not, of CVE-2025-24472. The vulnerability status for CVE-2025-24472 is therefore unknown.
So, if you have a device that has been compromised but ONYPHE says it is not vulnerable to CVE-2024-55591, it could mean that the device was compromised by CVE-2025-24472 as both are actively exploited in the wild. This situation can exist because it is possible to protect against CVE-2024-55591 by applying a workaround instead of the patch which resolves both issues. In this case, the device remains vulnerable to CVE-2025-24472 and can be compromised using that vulnerability alone.
In summary, when ONYPHE says that a device is vulnerable to CVE-2024-55591, it means it is vulnerable to both issues. When ONYPHE says you are not vulnerable to CVE-2024-55591, then ONYPHE does not know if you are vulnerable to CVE-2025-24472 or not, and so the status should be understood as “unknownvulnerable” for that CVE.
