The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert highlighting a significant vulnerability in Fortinet’s FortiOS and FortiProxy systems, which threat actors are actively exploiting.
The authentication bypass vulnerability, tracked as CVE-2025-24472, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation in ransomware campaigns.
Fortinet FortiOS Authentication Bypass Vulnerability
The high-severity vulnerability, which carries a CVSS score of 8.1, allows remote attackers to gain super-admin privileges through crafted CSF proxy requests without requiring user interaction.
This authentication bypass vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) by the Common Weakness Enumeration.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests,” states the Fortinet advisory.
The vulnerability impacts explicitly FortiOS versions 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12.
Security experts warn that successful exploitation could provide attackers full administrative access to affected systems, including creating rogue admin accounts, modifying firewall policies, and accessing SSL VPNs to penetrate internal networks.
This level of access makes the vulnerability particularly dangerous in the context of ransomware operations.
| Risk Factors | Details |
| Affected Products | FortiOS versions 7.0.0 through 7.0.16FortiProxy versions 7.0.0 through 7.0.19FortiProxy versions 7.2.0 through 7.2.12 |
| Impact | super-admin privileges |
| Exploit Prerequisites | Remote attack vector (Network-based)Requires crafted Cooperative Security Fabric (CSF) proxy requests |
| CVSS 3.1 Score | 8.1 (High) |
Mitigations
CISA is directing organizations to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable”.
Fortinet has released patches addressing the vulnerability in FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or above.
For organizations unable to immediately patch, temporary mitigation options include disabling the HTTP/HTTPS administrative interface or implementing IP-based restrictions through local-in policies.
Security teams should also monitor logs for suspicious activities, such as unexplained administrative logins from the “jsconsole” interface or the creation of admin accounts with random usernames.
The KEV catalog, maintained by CISA, is an authoritative source of vulnerabilities confirmed to be exploited in the wild. CISA strongly recommends all entities prioritize the remediation of listed vulnerabilities to reduce the risk of compromise.
Organizations are advised to use the KEV catalog as a critical input to their vulnerability management prioritization framework, making it an essential component of effective external attack surface management.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
