Authentication Bypass in FortiOS and FortiProxy Node.js WebSocket Module

This repository contains a single Python proof-of-concept exploit (CVE 2024 55591 PoC.py) targeting CVE-2024-55591, a FortiOS WebSocket CLI authentication bypass vulnerability. The exploit allows unauthenticated attackers to connect to the FortiOS WebSocket CLI endpoint and execute arbitrary CLI commands, including resetting admin passwords. The script first verifies the target is a FortiOS device and checks for the presence of the vulnerability. It then establishes a WebSocket connection to the /ws/cli/open endpoint, bypasses authentication, and provides an interactive shell or executes a password reset script. The repository also includes a README with usage instructions and a LICENSE file. The main attack vector is network-based, targeting the FortiOS Web GUI (typically on port 443). The exploit is a functional PoC, not weaponized, and does not belong to any exploit framework.

This repository provides a comprehensive, operational Python-based exploit for CVE-2024-55591 (and CVE-2025-24472), targeting Fortinet FortiOS and FortiProxy devices. The exploit leverages a critical authentication bypass in the WebSocket/Telnet management interface, allowing attackers to gain super-admin CLI access without valid credentials. The repository includes three main Python scripts: - 'attack.py': The primary PoC for single-target exploitation, featuring dependency auto-installation, optional nmap port scanning, vulnerability checks, and interactive command execution post-exploit. - 'attack-v2.py': An enhanced version with more aggressive features, including parallel port/user exploitation, expanded username dictionaries, stealthier probes, and advanced post-exploitation commands. - 'mass-attack/attack.py': A multi-target version that reads a list of hosts, scans each for open ports, and attempts exploitation in both HTTP and HTTPS modes, supporting batch operations. The scripts check for the presence of the Fortinet management interface by probing endpoints such as '/login?redir=/ng' and 'service-worker.js?local_access_token=ScaryBYte', and confirm vulnerability by searching for specific strings in responses. Upon successful exploitation, the attacker is granted a Telnet-like CLI session, enabling execution of arbitrary system and diagnostic commands. The repository is well-documented, with detailed usage instructions, affected version ranges, and references to the official Fortinet advisory. The exploit is operational, not just a detection script, and is suitable for both targeted and mass exploitation scenarios.

This repository provides a working proof-of-concept exploit for CVE-2024-55591, a critical authentication bypass vulnerability in Fortinet FortiOS and FortiProxy. The main exploit script (CVE-2024-55591.py) is a Python tool that connects to the target's WebSocket CLI interface using a hardcoded local_access_token and a crafted authentication string. By exploiting a race condition and improper validation of the local_access_token parameter, the script bypasses authentication and allows the attacker to execute arbitrary commands as a super-admin. The exploit requires the attacker to know a valid admin username and network access to the target's WebSocket CLI endpoint (typically on port 443). The repository also includes a detailed markdown writeup explaining the vulnerability, its root cause, and the patch diff analysis. No detection scripts or fake code are present; the exploit is functional and demonstrates the vulnerability's impact.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-55591, an authentication bypass vulnerability affecting Fortinet FortiOS (FortiGate) and FortiProxy management interfaces. The main file, 'CVE-2024-55591-PoC.py', is a Python script that performs pre-flight checks to confirm the target is a FortiOS management interface and is vulnerable. It then establishes a WebSocket connection to the management interface, exploiting a race condition and authentication bypass to send arbitrary CLI commands as an administrator. The script is configurable via command-line arguments for the target host, port, command to execute, and whether to use SSL. The README.md provides usage instructions, affected versions, and references to further technical details. The exploit is network-based, targeting HTTP/HTTPS endpoints exposed by the FortiOS management interface, and does not require prior authentication. The PoC demonstrates the ability to execute system commands and retrieve their output, confirming successful exploitation.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-55591, an authentication bypass vulnerability affecting Fortinet FortiOS (7.0.0-7.0.16) and FortiProxy (7.0.0-7.0.19, 7.2.0-7.2.12). The main exploit is implemented in 'poc.py', a Python script that establishes a TLS connection to the target device, upgrades the connection to a WebSocket session at a specific endpoint, and sends a crafted subscription message to access system event logs without authentication. The script demonstrates the vulnerability by printing received log data. The repository also includes a README with usage instructions, affected versions, and output examples. The exploit requires network access to the target's WebSocket service (default port 443) and does not require valid credentials. No weaponized payload is included; the PoC is limited to log retrieval via the bypassed authentication mechanism.