<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Fortinet Vulnerability | January 2025

Fortinet Vulnerability Overview

 

Vulnerability Update

(2/11/2025) Fortinet warned today that attackers are exploiting another authentication bypass bug in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

Successful exploitation of this vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet added the bug as a new CVE-ID to a security advisory issued last month when it cautioned customers that threat actors were actively exploiting a FortiOS and FortiProxy auth bypass (tracked as CVE-2024-55591 and impacting the identical software versions).

  • For additional information, refer to the Fortinet PSIRT post

(2/4/2025) Our intelligence indicates that multiple ransomware groups have been actively exploiting this vulnerability. Given the critical nature of this vulnerability, we strongly encourage you to apply the patch and take the necessary actions immediately to safeguard your environment.

Successful exploitation of this vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet added the bug as a new CVE-ID to a security advisory issued last month when it cautioned customers that threat actors were actively exploiting a FortiOS and FortiProxy auth bypass (tracked as CVE-2024-55591 and impacting the identical software versions).

  • For additional information, refer to the Fortinet PSIRT post 

Background Information

A critical authentication bypass vulnerability (CVE-2024-55591) affecting Fortinet's FortiOS and FortiProxy products is actively being exploited in the wild. The vulnerability allows remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. Given the active exploitation, please read the following and take action immediately.

Impact of the Vulnerability

The vulnerability affects the following versions:

  • FortiOS versions 7.0.0 through 7.0.16
  • FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

Exploitation of this vulnerability allows attackers to bypass authentication and gain unauthorized access, enabling them to:

  • Create unauthorized super-admin accounts, granting attackers full administrative control over the device.
  • Modify firewall configurations, potentially bypassing security controls and disrupting network operations.
  • Establish SSL VPN tunnels to gain remote access to internal networks, providing a foothold for further exploitation.
  • Harvest credentials for lateral movement within the network, enabling attackers to compromise additional systems.

Next Steps for Fortinet Customers:

  1. Immediately upgrade to the patched versions listed below:
    • FortiOS 7.0.17 or above
    • FortiProxy 7.2.13 or above
  2. If you aren’t able to patch right away, available workarounds are the following:
    • Disable HTTP/HTTPS administrative interface
    • Limit IP addresses that can reach the administrative interface via local-in policies
    • Monitor logs for suspicious activities, especially jsconsole logins
  3. Long-term Recommendations:
    • Check your systems for evidence of indicators of compromise (IOCs). See here for a list of IOCs.
    • Remove firewall management interfaces from public internet access
    • Implement strong authentication mechanisms
    • Regularly audit system logs for unauthorized changes

Recent Articles

Understanding Business Email Compromise and How It Drives Claims


Business Email Compromise drives billions in losses each year. Learn how BEC works, its impact on claims, and key defenses like out-of-band authentication.

ClickFix and FileFix: How Hackers Get Victims to Infect Their Own Computers


ClickFix and FileFix attacks trick users into self-infecting devices. Learn how they work, why they spread, and how to help defend against them.

Q2 '25 Travelers Cyber Threat Report: How BEC Drives Cyber Claims


Ransomware declines in Q2 2025, but BEC and social engineering fraud remain significant challenges for businesses. Learn more in our latest report.