Fortinet recently disclosed CVE-2025-24472, a critical authentication bypass vulnerability in FortiOS and FortiProxy that allows attackers to gain super-admin privileges through crafted CSF proxy requests.
This vulnerability affects:
- FortiOS versions 7.0.0 to 7.0.16 and 7.2.0 to 7.2.6
- FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12
Fortinet patched the issue in January 2024 with updates to:
- FortiOS 7.0.17 / 7.2.7 / 7.4.3
- FortiProxy 7.0.20 / 7.2.13
Clarification on Exploitation and Patching
In an update on February 11, 2025, Fortinet confirmed that CVE-2025-24472 is not a new zero-day. Instead, it had already been patched in January 2024 alongside CVE-2024-45591, which was actively exploited in the wild.
- CVE-2025-24472 has not been exploited, according to Fortinet.
- CVE-2024-45591 was actively exploited, leading to network compromises before patching.
Despite this, the severity of CVE-2025-24472 remains high, and unpatched systems remain at risk.
Exploitation Details – What Happened?
CVE-2024-45591 (another Fortinet vulnerability patched in January) was actively exploited by threat actors.
- Attackers used it to create unauthorized admin accounts
- They modified firewall policies
- They gained internal network access via compromised SSL VPNs
Arctic Wolf Labs tracked active exploitation of CVE-2024-45591 as far back as November 2024, focusing on exposed management interfaces.
While CVE-2025-24472 has not been exploited, it poses a serious risk to unpatched devices.
Fortinet’s Security Recommendations
Fortinet urges all users to take immediate action:
- Apply the latest security patches (FortiOS 7.0.17+, 7.2.7+, 7.4.3+)
- If patching isn’t possible, disable administrative interfaces
- Use local-in policies to restrict admin access
If you followed Fortinet’s earlier security advisories, your systems should already be protected.