All CVEs
Vulnerability intelligence

CVE-2024-55591

Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

Fortinet FortiOS and FortiProxy CWE-288

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

CVSS Score
9.6
Critical
EPSS — Exploit Probability
98%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2025-01-21
CISA required action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2025-01-21.

NVD entry Vendor patch PoC / advisory CISA KEV

1 article across 1 outlet · first covered May 13, 2026 · latest May 13, 2026

Tracked incidents

Associated threat actors

Coverage timeline

Related CVEs — Fortinet