CVE-2024-55591: The FortiOS Authentication Bypass That Handed Attackers the Keys to the Kingdom

This report details CVE-2024-55591, a critical Node.js WebSocket authentication-bypass in FortiOS/FortiProxy that allowed unauthenticated remote attackers to obtain super-admin CLI access; it documents active exploitation since late 2024, a public PoC, the subsequent weaponization by the NightSpire ransomware group (data exfiltration and double-extortion), observed campaign phases and indicators, and prescribes urgent mitigations including patching, restricting management access, and incident response audits.