Exploit for Authentication Bypass Using an Alternate Path or Channel in Fortinet Fortiproxy CVE-2024-55591

## https://sploitus.com/exploit?id=6A78A941-2961-566A-AEE6-CD8B47503D41
# CVE-2024-55591 PoC
This repository contains an **PoC (Proof of Concept)** for **CVE-2024-55591**, a critical authentication bypass vulnerability discovered in Fortinet's FortiOS and FortiProxy products.

## **Vulnerability Overview**
**CVE-2024-55591** is an **authentication bypass vulnerability** caused by an alternative path or channel (CWE-288). The vulnerability affects FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12. A remote attacker can exploit this flaw to gain **super-admin privileges** by sending specially crafted requests to the Node.js WebSocket module.
### **Details**
- **Base Score (CVSS):** 9.8 (CRITICAL)
- **NVD Published Date:** 01/14/2025

## **Technical details**
### **[Storming the Fortress: Authentication Bypass in FortiOS and FortiProxy](https://github.com/virus-or-not/CVE-2024-55591/blob/main/Storming%20the%20Fortress%3A%20Authentication%20Bypass%20in%20FortiOS%20and%20FortiProxy.md)**

## Demo
<p align="center">
    <img src="https://github.com/user-attachments/assets/035f452d-fc5e-410c-a0da-ddf3ecc0d79f" alt="Usage example">
</p>

## Usage
```python                           
usage: CVE-2024-55591.py [-h] --target TARGET [--port PORT] --username USERNAME --command COMMAND [--debug]

CVE-2024-55591 exploit by https://github.com/virus-or-not/

options:
  -h, --help           show this help message and exit
  --target TARGET      Target IP address
  --port PORT          Target port (default: 443)
  --username USERNAME  Admin account username
  --command COMMAND    Command to execute (tip: you could specify multiple commands separated by \n)
  --debug              Enable debug mode (default: False)
```

## **Affected Versions**
- **FortiOS:** Versions 7.0.0 – 7.0.16
- **FortiProxy:**
  - Versions 7.0.0 – 7.0.19
  - Versions 7.2.0 – 7.2.12

## **Mitigation**
Fortinet has released patches to address this vulnerability. It is strongly recommended to update affected products to the following versions:
- **FortiOS:** Update to version 7.0.17 or higher
- **FortiProxy 7.0:** Update to version 7.0.20 or higher
- **FortiProxy 7.2:** Update to version 7.2.13 or higher

For detailed instructions, refer to the [official Fortinet advisory](https://fortiguard.fortinet.com/psirt/FG-IR-24-535).

## **Purpose of this PoC**
This PoC is created to demonstrate the exploitation mechanism of CVE-2024-55591 for **educational and research purposes only**. Use this code in controlled and authorized environments **only**.

## **Disclaimer**
The information provided in this repository is for **educational and informational purposes only**. **The author does not endorse or take responsibility for any unlawful, malicious, or unethical use of the material presented.** The techniques and concepts discussed should not be applied to systems or networks without proper authorization. **The author is not liable for any damages, legal consequences, or losses resulting from the misuse of this information.** Readers are encouraged to adhere to all applicable laws and guidelines regarding cybersecurity practices.

## **References**
- [Fortinet Advisory on CVE-2024-55591](https://fortiguard.fortinet.com/psirt/FG-IR-24-535)
- [Tenable Analysis of CVE-2024-55591](https://www.tenable.com/blog/cve-2024-55591-fortinet-authentication-bypass-zero-day-vulnerability-exploited-in-the-wild)
- [Arctic Wolf: Analysis of Fortinet Exploits](https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/)
- [The first published PoC (implements only the first part of authentication bypass) by @sysirq](https://github.com/sysirq/fortios-auth-bypass-poc-CVE-2024-55591)