Fortinet Vulnerability | January 2025

Fortinet Vulnerability Overview

Vulnerability Update

(2/11/2025) Fortinet warned today that attackers are exploiting another authentication bypass bug in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

Successful exploitation of this vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet added the bug as a new CVE-ID to a security advisory issued last month when it cautioned customers that threat actors were actively exploiting a FortiOS and FortiProxy auth bypass (tracked as CVE-2024-55591 and impacting the identical software versions).

• For additional information, refer to the Fortinet PSIRT post

(2/4/2025) Our intelligence indicates that multiple ransomware groups have been actively exploiting this vulnerability. Given the critical nature of this vulnerability, we strongly encourage you to apply the patch and take the necessary actions immediately to safeguard your environment.

Successful exploitation of this vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet added the bug as a new CVE-ID to a security advisory issued last month when it cautioned customers that threat actors were actively exploiting a FortiOS and FortiProxy auth bypass (tracked as CVE-2024-55591 and impacting the identical software versions).

• For additional information, refer to the Fortinet PSIRT post 

Background Information

A critical authentication bypass vulnerability (CVE-2024-55591) affecting Fortinet's FortiOS and FortiProxy products is actively being exploited in the wild. The vulnerability allows remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. Given the active exploitation, please read the following and take action immediately.

Impact of the Vulnerability

The vulnerability affects the following versions:

• FortiOS versions 7.0.0 through 7.0.16

• FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

Exploitation of this vulnerability allows attackers to bypass authentication and gain unauthorized access, enabling them to:

• Create unauthorized super-admin accounts, granting attackers full administrative control over the device.

• Modify firewall configurations, potentially bypassing security controls and disrupting network operations.

• Establish SSL VPN tunnels to gain remote access to internal networks, providing a foothold for further exploitation.

• Harvest credentials for lateral movement within the network, enabling attackers to compromise additional systems.

Next Steps for Fortinet Customers:

1. Immediately upgrade to the patched versions listed below:

   • FortiOS 7.0.17 or above

   • FortiProxy 7.2.13 or above

2. If you aren’t able to patch right away, available workarounds are the following:

   • Disable HTTP/HTTPS administrative interface

   • Limit IP addresses that can reach the administrative interface via local-in policies

   • Monitor logs for suspicious activities, especially jsconsole logins

3. Long-term Recommendations:

   • Check your systems for evidence of indicators of compromise (IOCs). See here for a list of IOCs.

   • Remove firewall management interfaces from public internet access

   • Implement strong authentication mechanisms

   • Regularly audit system logs for unauthorized changes