Vulnerability and Threat Alerts
      Back to home
      1. Knowledge Base
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerability and Threat Alerts

      Fortinet Vulnerability | January 2025

      Fortinet customers could be at risk due to a critical security flaw. Here's what you need to know.

      Update - February 11th, 2025

      Fortinet warned today that attackers are exploiting another authentication bypass bug in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

      Successful exploitation of this vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet added the bug as a new CVE-ID to a security advisory issued last month when it cautioned customers that threat actors were actively exploiting a FortiOS and FortiProxy auth bypass (tracked as CVE-2024-55591 and impacting the identical software versions)

      • For additional information, refer to the Fortinet PSIRT post 

      Update - February 4th, 2025

      Our intelligence indicates that multiple ransomware groups have been actively exploiting this vulnerability. Given the critical nature of this vulnerability, we strongly encourage you to apply the patch and take the necessary actions immediately to safeguard your environment.

      • For additional workaround steps, refer to the Fortinet PSIRT post 

      Background

      A critical authentication bypass vulnerability (CVE-2024-55591) affecting Fortinet's FortiOS and FortiProxy products is actively being exploited in the wild. The vulnerability allows remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. Given the active exploitation, please read the following and take action immediately.

      Impact

      The vulnerability affects:

      • FortiOS versions 7.0.0 through 7.0.16
      • FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

      Exploitation of this vulnerability allows attackers to bypass authentication and gain unauthorized access, enabling them to:

      • Create unauthorized super-admin accounts, granting attackers full administrative control over the device.
      • Modify firewall configurations, potentially bypassing security controls and disrupting network operations.
      • Establish SSL VPN tunnels to gain remote access to internal networks, providing a foothold for further exploitation.
      • Harvest credentials for lateral movement within the network, enabling attackers to compromise additional systems.

      Next Steps for Fortinet Customers:

      1. Immediately upgrade to the patched versions listed below:

        • FortiOS 7.0.17 or above
        • FortiProxy 7.2.13 or above

      2. If immediate patching is not possible:

      • Disable HTTP/HTTPS administrative interface
      • Limit IP addresses that can reach the administrative interface via local-in policies
      • Monitor logs for suspicious activities, especially jsconsole logins

      3. Long-term Recommendations:

      • Check your systems for evidence of indicators of compromise (IOCs). See here for a list of IOCs.
      • Remove firewall management interfaces from public internet access
      • Implement strong authentication mechanisms
      • Regularly audit system logs for unauthorized changes