U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiOS vulnerability to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiOS authorization bypass vulnerability, tracked as CVE-2024-55591 (CVSS score: 9.6) to its Known Exploited Vulnerabilities (KEV) catalog.
Remote attackers can exploit the vulnerability to bypass authentication and gain super-admin access via crafted Node.js WebSocket requests. The vendor confirmed that it is aware of attacks in the wild exploiting this vulnerability.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.” reads the advisory.
Please note that reports show this is being exploited in the wild.
The vulnerability impacts FortiOS (7.0.0-7.0.16) and FortiProxy (7.0.0-7.0.19, 7.2.0-7.2.12).
CISA also added the following flaws to the KEV catalog:
- CVE-2025-21333 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
- CVE-2025-21334 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
- CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by February 2, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)
