CVE-2025-24472: Critical Fortinet FortiOS and FortiProxy Authentication Bypass Advisory
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
FREQUENTLY ASKED
What is CVE-2025-24472 and why does it matter?
CVE-2025-24472 is a high-severity authentication bypass vulnerability affecting Fortinet FortiOS and FortiProxy. It allows unauthenticated remote attackers to gain super-admin privileges. This matters significantly because the vulnerability is actively exploited in the wild, has been linked to ransomware activities, and poses a total threat to the technical impact and integrity of affected systems.
Which versions of the product are affected?
The vulnerability affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.2.0 through 7.2.12 as well as 7.0.0 through 7.0.19. Deployments are particularly at risk if the Security Fabric feature is enabled, as the exploit relies on crafted CSF proxy requests between upstream and downstream devices.
Has a patch been released?
Yes, Fortinet has addressed this vulnerability in updated versions of FortiOS and FortiProxy. Administrators should consult the FortiGuard PSIRT advisory FG-IR-24-535 for specific firmware upgrade paths. Immediate updating to non-vulnerable versions is the primary recommended defense against this actively exploited threat.
What is the remediation deadline is and what it means for compliance?
The remediation deadline is 2025-04-08. For organizations subject to CISA's Binding Operational Directive (BOD) 22-01, this date represents the mandatory cutoff for applying patches. Failing to meet this deadline can lead to compliance failures and, more importantly, leaves the infrastructure vulnerable to known ransomware and state-sponsored exploitation.
How to check if an instance/deployment is affected?
To determine if you are affected, check the current firmware version of your FortiOS or FortiProxy devices. If the version falls within the 7.0.0-7.0.16 (FortiOS) or 7.0.0-7.2.12 (FortiProxy) range and the Security Fabric is enabled, your instance is vulnerable. Additionally, audit logs for unusual CSF proxy requests or unauthorized administrative access.
CVE-2025-24472 represents a critical security failure in Fortinet's FortiOS and FortiProxy platforms. This authentication bypass vulnerability, classified under CWE-288, carries a CVSS score of 8.1 and is currently being exploited in the wild. Given its link to ransomware operations and its ability to grant unauthenticated attackers super-admin privileges, organizations must prioritize remediation before the April 8, 2025 deadline.
The core of CVE-2025-24472 lies in CWE-288: Authentication Bypass Using an Alternate Path or Channel. This specific type of weakness occurs when a system provides multiple paths for authentication or communication, and one of those paths does not properly enforce security controls. In the context of Fortinet products, the vulnerability is triggered within the Security Fabric, a framework designed to allow different Fortinet devices to share telemetry and management data.
The Role of Security Fabric and CSF Proxy Requests
The Security Fabric utilizes the Communication Service Fabric (CSF) protocol to synchronize configurations and status across a network. When the Security Fabric is enabled, a "root" FortiGate or upstream device can proxy requests to "downstream" devices. This is intended to simplify administration by allowing a single pane of glass for management.
However, the flaw exists in how the downstream device validates these proxied requests. An attacker who has obtained the serial numbers of both the upstream and downstream devices can craft a malicious CSF proxy request. Because the downstream device assumes the request is coming from a trusted, authenticated upstream peer, it fails to perform the necessary secondary authentication checks on the crafted request.
Attack Chain and Surface Analysis
The attack chain for CVE-2025-24472 follows a sophisticated yet direct path:
Reconnaissance: The attacker identifies a target running FortiOS or FortiProxy with the Security Fabric enabled. They must acquire the serial numbers of the devices involved. While CVSS rates Attack Complexity as "High" due to this requirement, serial numbers are often leaked through OSINT, physical labels, or unencrypted management protocols.
Crafting the Request: The attacker generates a CSF proxy request designed to execute administrative commands. This request is structured to appear as if it originated from the legitimate upstream management device.
Bypass: The downstream device receives the crafted request and, due to the CWE-288 flaw, processes it without requiring the attacker to provide valid administrative credentials.
Escalation: The attacker gains super-admin privileges, providing total control over the downstream device, including the ability to modify firewall rules, intercept traffic, or deploy further malware.
The blast radius is significant. Because FortiProxy and FortiOS often sit at the edge of the enterprise network, compromising these devices allows for lateral movement into the internal infrastructure, making it a prime target for ransomware groups.
Who Is Affected: Impacted Versions and Compliance
This vulnerability impacts organizations globally that rely on Fortinet's ecosystem for perimeter security and proxy services. Specific impacted versions include:
FortiOS: 7.0.0 through 7.0.16
FortiProxy: 7.2.0 through 7.2.12
FortiProxy: 7.0.0 through 7.0.19
CISA BOD 22-01 Compliance
Due to active exploitation, CISA has added CVE-2025-24472 to the Known Exploited Vulnerabilities (KEV) catalog. For U.S. Federal Civilian Executive Branch (FCEB) agencies, compliance with Binding Operational Directive (BOD) 22-01 is mandatory. These agencies, along with many private sector entities that mirror CISA's requirements, must apply the remediation steps by April 8, 2025. Failure to do so not only increases the risk of a breach but also constitutes a failure in regulatory and security compliance standards.
Official Remediation Steps
Fortinet has released security updates to mitigate this vulnerability. Administrators are urged to follow these steps immediately:
Identify Vulnerable Assets: Audit all FortiOS and FortiProxy instances to determine if they are running the affected versions listed above.
Check Configuration: Verify if the Security Fabric feature is enabled. If it is not required for your current operations, disabling it can act as an immediate temporary mitigation.
Validate Remediation: After patching, ensure that the CSF communication is restricted and that administrative access is monitored for any residual unauthorized sessions.
Beyond patching CVE-2025-24472, organizations should adopt a defensive-in-depth strategy to harden their Fortinet deployments against similar authentication bypasses:
Restrict Administrative Access: Implement IP-based access control lists (ACLs) for the management interface. Only allow administrative traffic from trusted internal subnets or dedicated management VPNs.
Enable Multi-Factor Authentication (MFA): Ensure that all administrative accounts, especially super-admins, require MFA. This provides a secondary layer of protection even if an authentication bypass attempt is partially successful.
Secure Serial Number Data: Treat device serial numbers as sensitive information. Avoid exposing them in publicly accessible logs or documentation, as they are often used as a component in knowledge-based authentication bypasses.
Monitor CSF Traffic: Use internal monitoring tools or FortiAnalyzer to detect unusual CSF proxy requests or management traffic originating from unexpected sources.
Network Segmentation: Isolate the Security Fabric management traffic to a dedicated VLAN. This limits the ability of an attacker on the general network to inject crafted proxy requests into the fabric.
Implement Zero Trust Architecture: Adopt a Zero Trust approach where every request, even those seemingly originating from "trusted" internal fabric members, is verified and inspected for malicious intent.
Regular Log Audits: Periodically review administrative logs for unauthorized changes to system settings or the creation of new administrative accounts, which are common post-exploitation activities for ransomware actors.