A comprehensive all-in-one Python-based Proof of Concept script to discover and exploit a critical authentication bypass vulnerability (CVE-2024-55591) in certain Fortinet devices. This script:
- Installs Missing Dependencies automatically
- Optionally Scans a target host for open ports using
nmap - Performs Pre-flight Checks to ensure the service is a Fortinet device and is vulnerable
- Exploits the WebSocket interface to hijack a Telnet-like CLI session
- Runs an Initial or Multiple Commands post-exploit
- Checks the Device Version against known vulnerable ranges from Fortinet PSIRT FG-IR-24-535
- Vulnerability Summary
- Affected Versions
- Pre-Requisites
- Usage
- Features
- Example Walkthrough
- Disclaimer
CVE-2024-55591 is a critical authentication bypass in certain Fortinet products (FortiOS & FortiProxy). By exploiting a flaw in the WebSocket/Telnet management interface, an attacker can gain privileged CLI access without valid credentials.
According to the Fortinet PSIRT Advisory (FG-IR-24-535), the following versions are known to be affected:
- FortiOS: 7.0.0 to 7.0.16
- FortiProxy: 7.0.0 to 7.0.19, 7.2.0 to 7.2.12
- Python 3.x
- (Optional) Nmap for automatic port scanning
- Network access to the target device
- Sufficient privileges on your local machine to install missing Python packages (if needed)
git clone https://github.com/exfil0/CVE-2024-55591-POC.git
cd CVE-2024-55591-POCpython3 attack.pyWhen executed, the script automatically checks for missing Python dependencies (requests, urllib3) and attempts to install them.
You will be prompted for:
- Target IP/Hostname
- Whether to run Nmap to find open ports
- If multiple open ports are found, whether to test ALL or just one
- Whether to use SSL
- A Command to run initially (you can select from a pre-defined list or supply your own)
- (Optional) Whether to run post-exploitation commands
Once you confirm, the script tests connectivity, checks vulnerability, upgrades the connection to WebSocket, and attempts the auth bypass.
At startup, this script checks for requests and urllib3. If missing, it attempts to install them via pip.
If you choose, the script runs nmap -sS -p- --min-rate 500 <host> to discover open TCP ports, then either:
- Tries all the discovered ports
- Lets you pick one
If multiple ports are discovered open, you can instruct the script to test them all. This is useful if Fortinet services are listening on non-standard ports.
If the exploit succeeds, you can optionally run additional commands in the same Telnet session, such as:
diag sys topdiag debug crashlog readexecute shell
You can modify these post-exploitation commands in the script to gather more advanced data.
The script attempts to parse the device version from the output of get system status or get system info. If it matches a known vulnerable range, it notifies you.
- Target IP: e.g.,
192.168.1.50 - Nmap scan?:
y(Yes) to discover open ports - SSL?: Typically
yif connecting via HTTPS/443 - Initial Command: e.g.,
get system status - Post-exploit commands:
yorn
If Nmap finds multiple open ports, you can choose to test all ports automatically or pick a specific one.
- The script checks if
/login?redir=/ngreturns Fortinet’s management interface - The script checks if
service-worker.js?local_access_token=ScaryBYtecontains the substringapi/v2/static - If both checks pass, it attempts the WebSocket upgrade and sends a fake Telnet login context
- Once you have a Telnet-like CLI, you can run commands like
get system status
If post-exploit mode is enabled, the script sends additional debug or system commands. The output is collected and displayed in your console.
This Proof of Concept script is provided for educational and testing purposes only. Unauthorized exploitation of systems without explicit permission is illegal. Always ensure you have the appropriate approvals before scanning or testing any systems, and refer to Fortinet’s Advisory (FG-IR-24-535) for patch information.