Fortinet warned today that attackers are exploiting another authentication bypass zero-day bug in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.
Successful exploitation of this vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12.
Fortinet added the bug as a new CVE-ID to a security advisory issued last month when it cautioned customers that threat actors were actively exploiting a FortiOS and FortiProxy auth bypass (tracked as CVE-2024-55591 and impacting the identical software versions). However, as the company explained, the CVE-2024-55591 zero-day can be exploited by making malicious requests to the Node.js websocket module.
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
While Fortinet didn’t provide additional information on the campaign, cybersecurity company Arctic Wolf released a report with matching indicators of compromise (IOCs), saying vulnerable Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since at least mid-November.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” Arctic Wolf Labs said.
“While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organizations should urgently disable firewall management access on public interfaces as soon as possible.”
Arctic Wolf Labs also provided this timeline for CVE-2024-55591 mass-exploitation attacks, saying it includes four unique phases:
- Vulnerability scanning (November 16, 2024 to November 23, 2024)
- Reconnaissance (November 22, 2024 to November 27, 2024)
- SSL VPN configuration (December 4, 2024 to December 7, 2024)
- Lateral Movement (December 16, 2024 to December 27, 2024)
“Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board,” it added.
Arctic Wolf Labs added that it notified Fortinet about the attacks on December 12 and received confirmation from the company’s Product Security Incident Response Team (PSIRT) five days later that the activity was known and already under investigation.
Fortinet advised admins who can’t immediately deploy the security updates to secure vulnerable firewalls to disable the HTTP/HTTPS administrative interface or limit the IP addresses that can reach it via local-in policies as a workaround.
BleepingComputer reached out to a Fortinet spokesperson for comment but did not hear back by time of publication.