cbcvebase.
CVE-2025-24472
published 2025-02-11

CVE-2025-24472: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12…

PriorityP192high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-04-08
Exploited in the wild
EPSS
2.99%
85.6th percentile
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.

Affected

8 ranges
VendorProductVersion rangeFixed in
fortinetfortios
fortinetfortios>= 7.0.0 < 7.0.177.0.17
fortinetfortios7.0.0 – 7.0.16
fortinetfortiproxy
fortinetfortiproxy>= 7.0.0 < 7.0.207.0.20
fortinetfortiproxy7.0.0 – 7.0.19
fortinetfortiproxy>= 7.2.0 < 7.2.137.2.13
fortinetfortiproxy7.2.0 – 7.2.12

Detection & IOCsextracted from sources · hover to see the quote

processforticloud-tech (admin account)
processfortigate-firewall (admin account)
processadnimistrator (admin account)
  • Detect exploitation attempts via crafted CSF proxy requests to FortiOS/FortiProxy management interfaces — the attack vector for CVE-2025-24472 requires Security Fabric to be enabled and uses HTTPS requests to exposed firewall interfaces.
  • Monitor for WebSocket-based attacks via the jsconsole interface on FortiOS/FortiProxy as an alternate exploitation pathway (shared with CVE-2024-55591).
  • Alert on creation of new local/admin accounts on FortiGate devices, especially accounts named 'forticloud-tech', 'fortigate-firewall', or 'adnimistrator', and their addition to SSL VPN user groups.
  • Monitor for automation task modifications on FortiGate that recreate deleted admin accounts — a persistence mechanism used by Mora_001 post-exploitation.
  • Detect lateral movement from compromised FortiGate devices using WMIC, SSH, and TACACS+/RADIUS authentication, as well as newly added VPN accounts and stolen VPN credentials.
  • Ransom notes dropped by SuperBlack contain a TOX chat ID linked to LockBit operations — presence of this TOX ID in ransom notes can be used as a cluster attribution indicator.
  • ·CVE-2025-24472 is only exploitable when Security Fabric (CSF) is enabled on the FortiOS/FortiProxy device — organizations without Security Fabric enabled are not exposed to this specific attack path.
  • ·Exploitation requires prior knowledge of both upstream and downstream device serial numbers — this is not a fully blind attack and implies some degree of prior reconnaissance or insider knowledge.
  • ·Organizations that already patched for CVE-2024-55591 (FortiOS 7.0.17+, FortiProxy 7.0.20/7.2.13+) are also protected against CVE-2025-24472 — no additional patch action is required if previously remediated.
  • ·As a workaround when patching is not immediately possible, disabling the HTTP/HTTPS administrative interface or restricting access via local-in policies mitigates the attack surface.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.