What is the CVSS score of CVE-2024-55591?

CVE-2024-55591 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.2%.

Which versions of Node.js are affected by CVE-2024-55591?

Organizations using FortiOS face critical risk from CVE-2024-55591 rated CVSS 9.8.

Is there a public PoC exploit available for CVE-2024-55591?

Yes, a public proof-of-concept exploit is available for CVE-2024-55591. Prioritise patching immediately. EPSS: 94.2%.

How to fix or mitigate CVE-2024-55591?

Within 24 hours: Identify all affected systems running FortiOS and apply vendor patches immediately. Monitor vendor channels for patch availability.

Node.js CVE-2024-55591

CRITICAL

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2025-01-14 psirt@fortinet.com

Node.js Authentication Bypass Fortinet Fortiproxy Fortios

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:03 vuln.today

Added to CISA KEV

Oct 24, 2025 - 12:54 cisa

CISA KEV

EUVD Exploitation Confirmed

Oct 24, 2025 - 12:54 euvd

EUVD KEV

PoC Detected

Oct 24, 2025 - 12:54 vuln.today

Public exploit code

CVE Published

Jan 14, 2025 - 14:15 nvd

CRITICAL 9.8

DescriptionCVE.org

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

AnalysisAI

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote attackers to gain super-admin privileges through crafted requests.

Technical ContextAI

The CWE-288 authentication bypass exploits the Node.js websocket module in FortiOS/FortiProxy's management interface. Crafted websocket requests allow an unauthenticated attacker to obtain a session with super-admin privileges, providing complete control over the firewall configuration.

RemediationAI

Upgrade FortiOS/FortiProxy immediately. Restrict management interface access to trusted networks. Audit admin accounts for unauthorized additions. Check for modified firewall policies and VPN configurations.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

CVE-2024-55591 vulnerability details – vuln.today

Back

Node.js CVE-2024-55591

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code