Fortinet Warns of Exploited Zero-Day Vulnerability in FortiOS and FortiProxy Firewalls

2025-02-16

Fortinet has issued a warning regarding a newly discovered zero-day vulnerability in its FortiOS and FortiProxy products, which has been actively exploited by threat actors. This flaw, identified as CVE-2025-24472, carries a critical CVSS score of 8.1 and has the potential to allow remote attackers to hijack Fortinet firewalls. The vulnerability arises from an authentication bypass issue that enables unauthorized access to super-admin privileges through crafted CSF proxy requests. The impacted systems include FortiOS 7.0.0 to 7.0.16 and FortiProxy 7.0.0 to 7.0.19, with Fortinet releasing fixes in newer versions of both products. Threat actors can exploit this vulnerability to create rogue admin users, alter firewall policies, and even access SSL VPNs, posing a significant risk to affected organizations. Fortinet also provides temporary mitigations, including disabling administrative interfaces or restricting access through IP-based policies.

Summary:

Fortinet has recently raised an alarm about a critical zero-day vulnerability, tracked as CVE-2025-24472, that affects both FortiOS and FortiProxy. The flaw allows remote attackers to bypass authentication, granting them super-admin privileges. The vulnerability affects versions of FortiOS between 7.0.0 and 7.0.16, as well as FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Fortinet has released patches for the affected versions, urging organizations to upgrade to FortiOS 7.0.17 or higher and FortiProxy 7.0.20/7.2.13 or higher. This vulnerability, along with CVE-2024-55591, could allow attackers to take control of firewalls, change configurations, and compromise internal networks through SSL VPN access. In response to the exploitations, Fortinet recommends temporary mitigation strategies, such as disabling administrative interfaces or restricting IP access. The vulnerability has already been seen in real-world attacks, with researchers from Arctic Wolf observing suspicious activities and exploitation attempts on Fortinet devices.

What Undercode Says:

The discovery and exploitation of CVE-2025-24472 underscores a troubling trend in the cybersecurity landscape, where attackers continuously target well-established technologies. FortiOS and FortiProxy are widely used by organizations to secure their networks, making this vulnerability a prime target for malicious actors. The authentication bypass nature of the flaw means that even sophisticated firewalls like Fortinet’s can be compromised if the attacker can exploit it. The fact that this vulnerability has been observed in active campaigns speaks to the urgency of addressing it.

The reported exploitation methods indicate that threat actors are not simply gaining unauthorized access—they are fully hijacking administrative functions. This level of control allows attackers to make significant modifications to firewall configurations, including creating rogue admin accounts and modifying policies. The ability to access SSL VPNs further broadens the scope of potential damage, as attackers can use this access to infiltrate internal networks and steal sensitive data or deploy additional malware.

The severity of this vulnerability is amplified by its remote exploitability. Attackers don’t need physical access to the firewall to trigger the flaw; a crafted CSF proxy request is enough to gain super-admin privileges. This makes it particularly dangerous for organizations that may not be actively monitoring their systems or are slow to apply patches. The rapid detection of these exploitations by researchers, such as Arctic Wolf, highlights the evolving nature of cyber threats, where attackers leverage zero-day vulnerabilities for rapid and widespread attacks.

Fortinet’s patch management strategy—releasing updates for FortiOS 7.0.17 and FortiProxy 7.0.20/7.2.13—is an essential step in mitigating the risk. However, the advisory also includes temporary mitigation recommendations, like disabling administrative interfaces or limiting access based on IP addresses. While these measures can provide temporary relief, they are not a substitute for applying the available patches. Organizations that delay updates are leaving themselves open to exploitation.

The timing of this discovery is also notable. With the global increase in cyberattacks, particularly targeting network infrastructure, vulnerabilities in widely used firewall systems are a prime target for cybercriminals. In the case of this CVE, the compressed timeline and multiple firmware versions affected suggest that the attackers have been exploiting the flaw at scale. Researchers are concerned that similar vulnerabilities may exist in other systems, so organizations should not assume that this is an isolated incident.

In response to the growing risk,

In conclusion, the CVE-2025-24472 vulnerability represents a serious security risk, and it is critical for affected organizations to take swift action. As always, the key to defending against such vulnerabilities is timely patching, vigilance in monitoring, and implementing layered security strategies. Ignoring this threat could have catastrophic consequences for enterprises, from data breaches to full-scale network takeovers.

References:

Reported By: https://securityaffairs.com/174117/hacking/fortinet-fortios-zero-day-exploited.html
https://www.reddit.com/r/AskReddit
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com