Summary

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Affected Products

VersionAffectedSolution
FortiOS 7.6Not affectedNot Applicable
FortiOS 7.4Not affectedNot Applicable
FortiOS 7.2Not affectedNot Applicable
FortiOS 7.07.0.0 through 7.0.16Upgrade to 7.0.17 or above
FortiOS 6.4Not affectedNot Applicable
FortiProxy 7.6Not affectedNot Applicable
FortiProxy 7.4Not affectedNot Applicable
FortiProxy 7.27.2.0 through 7.2.12Upgrade to 7.2.13 or above
FortiProxy 7.07.0.0 through 7.0.19Upgrade to 7.0.20 or above
FortiProxy 2.0Not affectedNot Applicable

Recommendations

Follow the recommended upgrade path using Fortinet tool at:

https[:]//docs[.]fortinet[.]com/upgrade-tool

References

  • Fortinet: https[:]//fortiguard[.]fortinet[.]com/psirt/FG-IR-24-535
  • CVE ORG: https[:]//www[.]cve[.]org/CVERecord?id=CVE-2024-55591