An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet FortiOS
OSFortinet7.0.0 – 7.0.17 (bez)Fortinet Fortiproxy
APPFortinet7.0.0 – 7.0.20 (bez)7.2.0 – 7.2.13 (bez)
CISA KEV — detailsi
- Vendori
- Fortinet ↗
- Producti
- FortiOS and FortiProxy
- Added to KEVi
- January 14, 2025
- Remediation deadline (US Federal)i
- January 21, 2025(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Related vulnerabilities
Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach
Fortinet FortiOS/FortiProxy/FortiSwitchManager — Auth Bypass przez SAML
Krytyczna podatność format string RCE w Fortinet FortiOS, FortiProxy i FortiSwitchManager
Out-of-bounds write w Fortinet FortiOS i FortiProxy — RCE bez uwierzytelnienia
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and be...