CVE-2025-24472
published 2025-02-11CVE-2025-24472: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12…
PriorityP192high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-04-08
Exploited in the wild
EPSS
2.99%
85.6th percentile
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortios | — | — |
| fortinet | fortios | >= 7.0.0 < 7.0.17 | 7.0.17 |
| fortinet | fortios | 7.0.0 – 7.0.16 | — |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | >= 7.0.0 < 7.0.20 | 7.0.20 |
| fortinet | fortiproxy | 7.0.0 – 7.0.19 | — |
| fortinet | fortiproxy | >= 7.2.0 < 7.2.13 | 7.2.13 |
| fortinet | fortiproxy | 7.2.0 – 7.2.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via crafted CSF proxy requests to FortiOS/FortiProxy management interfaces — the attack vector for CVE-2025-24472 requires Security Fabric to be enabled and uses HTTPS requests to exposed firewall interfaces. ↗
- →Monitor for WebSocket-based attacks via the jsconsole interface on FortiOS/FortiProxy as an alternate exploitation pathway (shared with CVE-2024-55591). ↗
- →Alert on creation of new local/admin accounts on FortiGate devices, especially accounts named 'forticloud-tech', 'fortigate-firewall', or 'adnimistrator', and their addition to SSL VPN user groups. ↗
- →Monitor for automation task modifications on FortiGate that recreate deleted admin accounts — a persistence mechanism used by Mora_001 post-exploitation. ↗
- →Detect lateral movement from compromised FortiGate devices using WMIC, SSH, and TACACS+/RADIUS authentication, as well as newly added VPN accounts and stolen VPN credentials. ↗
- →Ransom notes dropped by SuperBlack contain a TOX chat ID linked to LockBit operations — presence of this TOX ID in ransom notes can be used as a cluster attribution indicator. ↗
- ·CVE-2025-24472 is only exploitable when Security Fabric (CSF) is enabled on the FortiOS/FortiProxy device — organizations without Security Fabric enabled are not exposed to this specific attack path. ↗
- ·Exploitation requires prior knowledge of both upstream and downstream device serial numbers — this is not a fully blind attack and implies some degree of prior reconnaissance or insider knowledge. ↗
- ·Organizations that already patched for CVE-2024-55591 (FortiOS 7.0.17+, FortiProxy 7.0.20/7.2.13+) are also protected against CVE-2025-24472 — no additional patch action is required if previously remediated. ↗
- ·As a workaround when patching is not immediately possible, disabling the HTTP/HTTPS administrative interface or restricting access via local-in policies mitigates the attack surface. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rp3f-whm7-36hq: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7
ghsa_unreviewed·2025-02-11
CVE-2025-24472 [HIGH] CWE-288 GHSA-rp3f-whm7-36hq: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
VulnCheck
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
vulncheck·2025·CVSS 8.1
CVE-2025-24472 [HIGH] CWE-288 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
Affected: Fortinet FortiOS and FortiProxy
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://fortiguard.fortinet.com/psirt/FG-IR-24-535; https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cert.at/de/warnungen/2025/
CISA
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
cisa·2025-03-18·CVSS 8.1
CVE-2025-24472 [HIGH] CWE-288 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Vulnerability: Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Affected: Fortinet FortiOS and FortiProxy
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://fortiguard.fortinet.com/psirt/FG-IR-24-535 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24472
Remediation Due Date: 2025-04-08
Fortinet
Authentication bypass in Node.js websocket module and CSF requests
vendor_fortinet·2025-01-14·CVSS 9.8
CVE-2024-55591 [CRITICAL] CWE-288 Authentication bypass in Node.js websocket module and CSF requests
FG-IR-24-535: Authentication bypass in Node.js websocket module and CSF requests
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy r
No detection rules found.
No public exploits indexed.
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Critical FortiSwitch flaw lets hackers change admin passwords remotely
blogs_bleepingcomputer·2025-04-09·CVSS 7.5
CVE-2024-48887 [HIGH] Critical FortiSwitch flaw lets hackers change admin passwords remotely
## Critical FortiSwitch flaw lets hackers change admin passwords remotely
## Sergiu Gatlan
Fortinet has released security patches for a critical vulnerability in its FortiSwitch devices that can be exploited to change administrator passwords remotely.
The company says Daniel Rozeboom of the FortiSwitch web UI development team discovered the vulnerability ( CVE-2024-48887 ) internally.
Unauthenticated attackers can exploit this unverified FortiSwitch GUI password change security flaw (rated with a 9.8/10 severity score) in low-complexity attacks that don't require user interaction.
Fortinet says threat actors can change credentials using a specially crafted request sent via the set_password endpoint.
"An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a
Bleepingcomputer
New SuperBlack ransomware exploits Fortinet auth bypass flaws
blogs_bleepingcomputer·2025-03-13·CVSS 9.8
CVE-2024-55591 [CRITICAL] New SuperBlack ransomware exploits Fortinet auth bypass flaws
## New SuperBlack ransomware exploits Fortinet auth bypass flaws
## Bill Toulas
A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack.
The two vulnerabilities, both authentication bypasses, are CVE-2024-55591 and CVE-2025-24472, which Fortinet disclosed in January and February, respectively.
When Fortinet first disclosed CVE-2024-55591 on January 14, they confirmed it had been exploited as a zero-day , with Arctic Wolf stating it had been used in attacks since November 2024 to breach FortiGate firewalls.
Confusingly, on February 11, Fortinet added CVE-2025-2447 to their January advisory , which led many to believe it was a newly exploited flaw. How
Bleepingcomputer
Fortinet discloses second firewall auth bypass patched in January
blogs_bleepingcomputer·2025-02-11·CVSS 9.8
CVE-2025-24472 [CRITICAL] Fortinet discloses second firewall auth bypass patched in January
## Fortinet discloses second firewall auth bypass patched in January
## Sergiu Gatlan
Update 2/11/25 07:32 PM ET: After publishing our story, Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January.
Furthermore, even though today's updated advisory indicates that both flaws were exploited in attacks and even includes a workaround for the new CSF proxy requests exploitation pathway, Fortinet says that only CVE-2024-55591 was exploited.
Fortinet told BleepingComputer that if a customer previously upgraded based on the guidance in FG-IR-24-535 / CVE-2024-55591, then they are already protected against the newly disclosed vulnerability.
The title of our story has been updated to reflect this new information, a
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Threat Intel
Mora_001
threat_intel·CVSS 9.8
CVE-2024-55591 [CRITICAL] Mora_001
# Threat Actor: Mora_001
## Description
Mora_001 is a threat actor exhibiting a distinct operational signature that combines opportunistic attacks with ties to the LockBit ecosystem. The actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472 vulnerabilities affecting Fortinet devices. The ransom note associated with Mora_001 includes the same TOX ID used by LockBit, indicating a potential affiliation or shared communication channels. Their post-exploitation patterns suggest a structured playbook that differentiates them from other ransomware operators, including LockBit affiliates.
2025-02-11
Published
2025-03-18
Added to CISA KEV
Exploited in the wild