External risk intelligence

FortiOS and FortiProxy Authentication Bypass Vulnerability

CVE advisoryKnown Exploit

CVE-2025-24472

A vulnerability in FortiOS and FortiProxy may allow an unauthenticated attacker to gain elevated administrative privileges. Exploitation requires knowledge of device serial numbers and the Security Fabric to be enabled, leading to unauthorized administrative control. The realistic business risk involves potential disru

3Halo Surface Signal

Authentication Bypass

Fortinet Fortiproxy

7.0.0 to before 7.0.207.2.0 to before 7.2.137.0.0 to before 7.0.17

External exposure likelihood

Halo Surface Signal score for CVE-2025-24472

The vulnerability affects Fortinet Security Fabric communications. While Fortinet devices are often internet-facing, this attack requires the Security Fabric to be enabled and involves specific internal CSF proxy requests. Access is not a direct public web exploit, making successful exploitation dependent on specific configurations and the attacker's knowledge of internal device serial numbers.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Fortinet FortiOS and FortiProxy products contain a vulnerability that could allow an attacker to bypass authentication. This could lead to unauthorized access with elevated privileges on a downstream device if the Security Fabric is enabled. The main impact involves unauthorized administrative control over network devices.

  • Vulnerable Fortinet devices
  • Authentication bypass flaw
  • Loss of administrative control

Attack Path

How an attacker could exploit the issue

This vulnerability could allow an attacker to bypass authentication and gain elevated privileges on a targeted device. Successful exploitation requires the attacker to know the serial numbers of upstream and downstream devices within a Security Fabric configuration. This could lead to unauthorized access and control over critical network functions.

  • Requires knowledge of device serial numbers.
  • Attacker sends crafted proxy requests.
  • Results in super-admin control.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability presents a significant risk due to the potential for unauthorized access to sensitive system controls. Attackers with advanced technical skills could exploit this by bypassing authentication mechanisms, leading to the acquisition of super-admin privileges. This could enable them to make extensive changes to the affected systems and potentially disrupt business operations.

  • Likely attacker skill level: Advanced
  • Required access or conditions: Network access and knowledge of device serial numbers
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An authentication bypass vulnerability exists in FortiOS and FortiProxy. This issue could permit an unauthenticated attacker to obtain elevated administrative privileges on a downstream device when the Security Fabric is enabled. The attack requires specific knowledge of upstream and downstream device serial numbers and the use of crafted proxy requests.

  • Identify affected FortiOS and FortiProxy assets.
  • Reduce exposure by disabling the Security Fabric if possible or isolating network segments.
  • Apply vendor patches, verify remediation, and monitor for suspicious activity.

Frequently asked questions

What is FortiOS and FortiProxy, and how are they used in network security?

FortiOS is the operating system for Fortinet's FortiGate network security devices, managing their functions. FortiProxy is a secure web proxy solution. Together, they help organizations protect networks, control traffic, and enforce security policies.

What is the core weakness in CVE-2025-24472, and what is its CWE classification?

CVE-2025-24472 is classified under CWE-288, indicating an Authentication Bypass Using an Alternate Path or Channel. This means an attacker can circumvent standard authentication protocols to gain unauthorized access.

How can an attacker exploit this vulnerability, and what information is needed?

An attacker can exploit this by sending specially crafted CSF proxy requests. This attack requires prior knowledge of the serial numbers for both upstream and downstream devices within a configured Security Fabric.

What is the significance of the Halo Surface Signal for CVE-2025-24472?

The Halo Surface Signal indicates a 'Possible' threat level for CVE-2025-24472. This is because the vulnerability affects Fortinet Security Fabric communications, and while some components are internet-facing, exploitation requires specific configurations and knowledge of internal device serial numbers, making it not a direct public web exploit.

What are the recommended steps to address this authentication bypass vulnerability?

Organizations should identify all affected FortiOS and FortiProxy assets. To reduce risk, consider disabling the Security Fabric if feasible or isolating network segments. Applying vendor-provided patches is crucial, followed by verification of remediation and continuous monitoring for any unusual activity.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified