CVE-2024-55591: The FortiOS Authentication Bypass That Handed Attackers the Keys to the Kingdom

How a flaw in Fortinet's Node.js WebSocket module gave unauthenticated attackers super-admin privileges — and how NightSpire ransomware turned it into a primary weapon.

On January 14, 2025, Fortinet published security advisory FG-IR-24-535, disclosing CVE-2024-55591 — a critical authentication bypass vulnerability affecting FortiOS and FortiProxy. Fortinet assigned a CVSSv3 score of 9.6; NIST's National Vulnerability Database independently scored it 9.8. Either way, it was about as severe as vulnerabilities get. But by the time the advisory went public, attackers had already been exploiting it in the wild for nearly two months.

This article breaks down exactly how the vulnerability works, who has been exploiting it, how the attack unfolds in practice, and what defenders need to do about it. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-55591 to its Known Exploited Vulnerabilities (KEV) catalog on January 14, 2025, with a federal remediation deadline of January 21, 2025.

What Is CVE-2024-55591?

CVE-2024-55591 is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. It affects the Node.js WebSocket module in FortiOS and FortiProxy, allowing an unauthenticated remote attacker to gain super-admin privileges by sending specially crafted requests.

In plain terms: an attacker who can reach a FortiGate firewall's management interface over the internet can take complete control of the device without ever providing a username or password.

Affected Versions

The vulnerability impacts the following product versions:

• FortiOS: 7.0.0 through 7.0.16 (fixed in 7.0.17 or above)
• FortiProxy: 7.0.0 through 7.0.19 (fixed in 7.0.20 or above)
• FortiProxy: 7.2.0 through 7.2.12 (fixed in 7.2.13 or above)

Other branches — FortiOS 6.4, 7.2, 7.4, and 7.6, and FortiProxy 2.0, 7.4, and 7.6 — are not affected. This is an important detail. If your organization jumped to FortiOS 7.2 or later, you were never vulnerable to this specific flaw. That said, Shadowserver reported nearly 50,000 internet-facing devices running vulnerable versions at the time of disclosure, underscoring the scale of exposure.

A Related CVE: CVE-2025-24472

On February 11, 2025, Fortinet updated the advisory to include a second CVE, CVE-2025-24472, which covers authentication bypass via crafted CSF (Cooperative Security Fabric) proxy requests — a different attack vector targeting the same underlying weakness. This was reported by Sonny of watchTowr Labs and carries a CVSS score of 8.1.

How the Exploit Works

The vulnerability lives in the way FortiOS handles WebSocket connections to its management interface. Here is the chain of events that makes exploitation possible.

The Authentication Logic Flaw

FortiOS's management interface includes a feature called jsconsole, a GUI-based CLI console that allows administrators to execute commands from the web interface. Under the hood, jsconsole communicates through a WebSocket endpoint at /ws/cli/.

When a WebSocket connection request arrives at this endpoint, the system checks authentication through a function called api_access_check_for_trusted_access. This function delegates to a secondary check — is_trusted_ip_and_user_agent — that validates whether the request originates from a trusted source.

Here is where the flaw becomes critical. If the request arrives without HTTP headers like client-ip or x-forwarded-for, the API defaults to treating the request as originating from 127.0.0.1 with a Node.js User-Agent. This is the same trust assumption that the system uses for internal process communication. In other words, the absence of identifying headers causes the system to assume the request is local and trusted.

Research from watchTowr Labs confirmed that this is not a single vulnerability but rather a chain of issues combined into one critical flaw. Their analysis also identified a race condition in the internal Telnet interface as a contributing factor in the exploitation chain. To summarize the four key components:

1. A WebSocket connection can be created from a pre-authenticated HTTP request. No session cookie or API token is required to initiate the WebSocket handshake.
2. A special parameter (local_access_token) can skip session checks. The WebSocket endpoint accepts this parameter, and when combined with the trusted-IP assumption, it bypasses the session validation entirely.
3. The system processes the connection as if it came from a local, trusted process. Because the API defaults to treating the request as originating from 127.0.0.1, it grants administrative access.
4. The attacker is issued super-admin privileges. Once authenticated through this forged trust path, the attacker has full CLI access as though they were logged in with the highest privilege level.

What This Looks Like in Practice

The exploitation generates specific log entries that defenders can use for detection. A successful exploit produces log lines similar to:

type="event" subtype="system" level="information"
logdesc="Admin login successful"
user="admin" ui="jsconsole"
srcip=1.1.1.1 dstip=1.1.1.1
action="login" status="success"
reason="none" profile="super_admin"
msg="Administrator admin logged in successfully from jsconsole"

The telltale indicators here are the ui="jsconsole" field combined with srcip and dstip values that are either identical, randomized, or sourced from known VPS hosting providers. Legitimate jsconsole usage would typically show internal management IP addresses, not external ones.

The watchTowr PoC

On January 27, 2025, watchTowr Labs published their technical analysis and released a public proof-of-concept exploit, available on GitHub. The PoC demonstrates the full exploit chain, including target validation and exploitation:

python CVE-2024-55591-PoC.py \
    --host 192.168.1.5 \
    --port 443 \
    --command "get system status" \
    --user watchTowr --ssl

The script first confirms the target is a FortiOS management interface, then verifies vulnerability status, and finally executes arbitrary CLI commands with super-admin privileges. By the time this PoC was released, the vast majority of those nearly 50,000 exposed devices identified by Shadowserver were still running vulnerable versions.

The Attack Campaign: Timeline and Phases

Arctic Wolf was the first to publicly document active exploitation, publishing their findings on January 10, 2025 — four days before Fortinet's official advisory. Their research revealed a coordinated campaign that had been running since mid-November 2024, structured in four distinct phases:

Phase 1: Vulnerability Scanning (November 16–23, 2024)

Automated scanners swept the internet for FortiGate appliances with exposed management interfaces. Arctic Wolf observed numerous unauthorized admin login events during this window, indicating that initial exploitation was already occurring alongside the scanning activity. The attackers were methodical — they were not spraying the entire internet, but rather identifying and validating exploitable devices.

Phase 2: Reconnaissance (November 22–27, 2024)

After gaining initial access, attackers performed configuration reconnaissance on compromised devices. Arctic Wolf noted configuration changes during this period whose purpose was not immediately clear — likely mapping the internal network topology and understanding the target environment before taking action.

Phase 3: Account Creation and VPN Access (December 4–7, 2024)

This phase involved the creation of new super-admin and local user accounts, often with randomly generated usernames like "Gujhmk" or "M4ix9f." These accounts were added to existing SSL VPN user groups. New SSL VPN portals were created, and the attackers established SSL VPN tunnels through the compromised devices to gain a foothold inside the victim's internal network.

Phase 4: Credential Extraction and Lateral Movement (December 16–27, 2024)

With VPN access established, attackers extracted credentials for lateral movement deeper into victim networks. This is where the exploitation transitions from a firewall compromise to a full network intrusion — and where ransomware operators enter the picture.

NightSpire: How a Ransomware Group Weaponized CVE-2024-55591

NightSpire is a financially motivated ransomware group whose earliest activity traces to February 2025, with its Tor-based data leak site going live on March 12, 2025. Despite its short history, it has rapidly become one of the more prolific operations in the ransomware landscape. CVE-2024-55591 has been its primary access vector, but the group also employs secondary methods including RDP brute-force attacks, phishing campaigns deploying malicious attachments or fake software updates, exploitation of other vulnerable VPN appliances and misconfigured web applications, MFA fatigue attacks combined with VPN credential brute-forcing, abuse of remote monitoring and management (RMM) platforms through compromised managed service providers, and exploitation of unpatched edge devices.

Origins and Attribution

Threat intelligence analysis from multiple firms — including Halcyon, SOCRadar, and S-RM — traces NightSpire back to a predecessor group called Rbfs ransomware. The connection is supported by four categories of evidence: shared operators (using the handles xdragon128, also known as xdragon333, and cuteliyuan), overlapping victims on both groups' leak sites, timeline correlation (Rbfs references ceased as NightSpire emerged), and infrastructure continuity through the hostname XDRAGON-SERVER1, which maps directly to the xdragon128 operator handle. Historical connections also place xdragon128 in 2024 affiliations with Paranodeus, CyberVolk, and DarkAssault, though the precise nature of these relationships remains unclear.

NightSpire operates as a closed, self-contained group according to threat intelligence assessments from S-RM, Halcyon, and Proven Data. Every observed attack has been handled in-house, from initial access through extortion. There is no confirmed public affiliate program. However, the classification is not unanimous — HivePro describes NightSpire as operating under a Ransomware-as-a-Service (RaaS) model, and some analysts note the boundaries remain unclear. Notably, S-RM characterized the group's operators as "inexperienced" with "a low level of sophistication" — a contrast that underscores how low the barrier to entry has become for effective ransomware operations. On March 14, 2025, xdragon128 posted a recruitment ad on BreachForums seeking a "negotiation specialist" with a 20% profit share — suggesting the group was looking to professionalize its extortion operations while keeping the technical side tightly controlled. This recruitment attempt resulted in a permanent platform ban, as BreachForums prohibited ransomware-related content and recruitment.

Scale and Targeting

As of early 2026, NightSpire has accumulated over 150 documented victims across 33 countries. The United States accounts for over 40% of targets, with secondary concentrations across Asia-Pacific, Western Europe, the Middle East, and Africa. Roughly 73% of victims are small to medium-sized businesses with fewer than 1,000 employees — organizations that tend to have limited cybersecurity resources, outdated infrastructure, and inconsistent patching practices.

The group targets opportunistically across sectors, including manufacturing, technology and IT services, financial services, healthcare, education, construction, retail, public administration, transportation, and real estate. The pattern is clear: NightSpire looks for exposed vulnerabilities and poor cyber hygiene, not specific industries.

Ransom demands range from $150,000 to $2 million, calibrated based on the perceived sensitivity of the stolen data and the victim's ability to pay.

Technical Playbook

What makes NightSpire technically interesting is their near-total reliance on legitimate tools rather than custom malware. Their attack chain uses:

• MEGACmd — for data exfiltration to MEGA cloud storage
• WinSCP — for additional exfiltration channels
• Rclone — for cloud-based data transfer and exfiltration
• 7-Zip — for compressing data prior to exfiltration
• PowerShell — for command execution and scripting
• PsExec — for remote execution and lateral movement
• WMI (Windows Management Instrumentation) — for remote command execution
• Everything.exe — for rapid file and directory enumeration on compromised systems
• Mimikatz — for credential dumping and Active Directory enumeration

This living-off-the-land (LOLBins) approach minimizes the forensic footprint. Every tool in NightSpire's kit is something a legitimate system administrator might use, which means signature-based detection is largely ineffective. One notable OPSEC detail: despite using encrypted channels for many operations, NightSpire operators have been observed using Gmail addresses for victim communication — a lapse consistent with the group's relative inexperience noted by several threat intelligence firms.

The ransomware payload itself is written in Go and encrypts files with the .nspire extension using a hybrid AES-256/RSA-2048 scheme. Each file is encrypted with a unique AES symmetric key, which is then encrypted with the attacker's RSA public key and appended to the file. Obfuscation layers include AES, RC4, and XOR encoding to evade static analysis. Reverse engineering by ASEC confirmed that the ransomware uses block encryption in 1 MB units for large files such as disk images and archives (.iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .flt, .ldf) while performing full-file encryption on all other extensions — a strategy designed to maximize speed on large targets. The ransomware specifically targets OneDrive cloud storage files in addition to local and network-accessible data. The group also employs extended sleep intervals between encryption operations to avoid triggering real-time detection, and performs log manipulation and temporary file cleanup after payload execution. Halcyon's threat intelligence also indicates that Linux and ESXi variants are in development, though they have not yet been widely deployed. One notable characteristic: the ransomware does not delete Volume Shadow Copies. This is an unusual choice — many ransomware operators delete shadow copies to prevent easy recovery. NightSpire appears to prioritize encryption speed over comprehensive recovery prevention, which is actually a potential advantage for incident responders.

Double Extortion in Practice

NightSpire operates a Tor-based data leak site (DLS) with countdown timers that tick toward the public disclosure of stolen data. Victims who do not pay face staged data releases designed to maximize pressure. The group communicates through encrypted channels — ProtonMail, OnionMail, and Telegram — and maintains a structured negotiation process.

In one of the more notable incidents, NightSpire exfiltrated approximately 1.5 TB of data from Al Tadawi Specialty Hospital in Dubai, UAE in June 2025, an attack that highlighted the real-world impact on organizations handling sensitive personal and medical data.

The Milano Attack: February 2026

The most recent public activity attributed to NightSpire is the claimed attack on Ecommerce Facility Milano (ecommercefacilitymilano.com), announced on February 14, 2026. The group has threatened to expose sensitive data unless demands are met. This attack fits the established pattern: an Italian SME, likely with an exposed FortiGate management interface, compromised through the same access vector NightSpire has been exploiting for nearly a year.

Detection: What to Look For

Organizations running affected FortiOS or FortiProxy versions should immediately audit logs for indicators of compromise. Key detection points include:

Log-Based Indicators

Look for administrative login events via the jsconsole interface originating from unusual or external IP addresses:

user="admin" ui="jsconsole" srcip=<external_IP> action="login" status="success"

Pay special attention to login events where srcip and dstip are identical — particularly if they match known VPS hosting provider ranges. This is a strong indicator of CVE-2024-55591 exploitation.

Configuration Change Indicators

Monitor for the following changes that were consistently observed across attack campaigns:

• Creation of new administrative or local user accounts with randomized usernames
• Addition of accounts to SSL VPN user groups
• Creation of new SSL VPN portals or modification of existing ones
• Changes to firewall policies, particularly those that open new access paths
• Unexpected configuration changes logged as "Object attribute configured" events

Network Indicators

Connections to the following should be monitored:

• Unexpected outbound connections to MEGA cloud storage infrastructure (indicative of NightSpire exfiltration)
• SSL VPN tunnel establishment from newly created accounts
• Lateral movement patterns using PsExec, WMI, or PowerShell remoting from the firewall's network segment
• Rclone traffic to cloud storage endpoints

Remediation: What to Do Right Now

Immediate Actions

1. Patch. Upgrade to FortiOS 7.0.17 or higher, FortiProxy 7.0.20 or higher, or FortiProxy 7.2.13 or higher. This is non-negotiable. Every day spent on a vulnerable version is another day an attacker can walk through the front door.

2. Restrict management interface access. If your FortiGate management interface is exposed to the public internet, shut it down or restrict access to trusted IP addresses using local-in policies. Arctic Wolf confirmed that every victim in their tracking was exposing the management web interface to the public internet. This is the single most impactful configuration change you can make.

3. Audit for compromise. Review system logs for the indicators described above. Check for any administrative or local user accounts you do not recognize. Verify SSL VPN configurations for unauthorized portals or user group memberships. If you find evidence of exploitation, treat the device as compromised and initiate a full incident response process.

4. Rotate credentials. Change all administrative passwords on affected devices. If attackers had super-admin access, they may have extracted credentials that could be used for lateral movement.

Longer-Term Hardening

Enforce multi-factor authentication for all administrative access, even though this specific vulnerability bypasses traditional authentication. MFA creates additional barriers for other attack vectors and is a standard hardening practice.

Implement network segmentation to limit the blast radius if a perimeter device is compromised. Firewall management interfaces should be on dedicated management VLANs, not accessible from general-purpose networks.

Deploy behavioral detection. Because NightSpire relies on legitimate tools, signature-based defenses are insufficient. Endpoint detection and response (EDR) solutions with behavioral analysis capabilities are essential for detecting the post-exploitation activity that follows a FortiOS compromise.

Harden all remote access points. While CVE-2024-55591 is NightSpire's primary vector, the group also exploits weak RDP credentials, vulnerable VPN appliances, and phishing. Enforce strong passwords and multi-factor authentication on all remote access services, and disable any unnecessary external-facing services.

Maintain offline backups. NightSpire's decision not to delete Volume Shadow Copies is not a guarantee of recovery. Organizations should maintain tested, offline backups as the most reliable defense against ransomware encryption.

The Bigger Picture

CVE-2024-55591 is not an isolated incident. It is part of a recurring pattern of critical vulnerabilities in Fortinet products that have been exploited by threat actors ranging from financially motivated ransomware operators to state-sponsored APT groups. Prominent FortiOS zero-day flaws in recent years include CVE-2024-21762 (February 2024), CVE-2023-27997 (June 2023), CVE-2022-42475 (December 2022), and CVE-2022-40684 (October 2022) — the last of which is the direct predecessor to CVE-2024-55591, sharing the same CWE-288 classification and similar exploitation patterns.

The pattern has continued beyond CVE-2024-55591. In December 2025, Fortinet disclosed CVE-2025-59718 and CVE-2025-59719, critical vulnerabilities classified under CWE-347 (Improper Verification of Cryptographic Signature) affecting FortiCloud SSO login across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allowed unauthenticated bypass of FortiCloud SSO authentication via crafted SAML messages. Arctic Wolf began observing exploitation of these flaws on December 12, within three days of the December 9 patch release. By late January 2026, multiple Fortinet customers reported unexpected login activity on devices that had already been fully patched against these flaws, which led to the disclosure on January 27 of a net-new vulnerability, CVE-2026-24858 (CWE-288). Fortinet confirmed this was a separate issue rather than a bypass of existing patches. In response, Fortinet temporarily disabled FortiCloud SSO at the cloud level on January 26, 2026 and re-enabled the service on January 27 with restrictions preventing login from devices running vulnerable firmware. The episode reinforced the urgency of defense-in-depth strategies beyond patching alone.

The relationship between CVE-2024-55591 and NightSpire ransomware also illustrates a broader trend: the rapid weaponization of network perimeter vulnerabilities by ransomware operators. The window between vulnerability disclosure and active exploitation by organized crime groups has compressed dramatically. In NightSpire's case, exploitation was already underway weeks before the public advisory existed.

For organizations that rely on Fortinet products at their network perimeter, the lesson is straightforward. Exposed management interfaces are an existential risk. Patching cycles need to be measured in hours, not weeks. And the assumption that your firewall is your strongest line of defense needs to be replaced with the assumption that any internet-facing device can be compromised.