Fortinet Warns of New Zero-Day Exploit Allowing Attackers to Hijack Firewalls

By /

Listen to this Post

2025-02-11

Cybersecurity giant Fortinet has issued a new warning about a critical zero-day vulnerability that attackers are actively exploiting to gain full administrative control over enterprise firewalls. The flaw, tracked as CVE-2025-24472, allows remote attackers to bypass authentication in FortiOS and FortiProxy through maliciously crafted requests. This marks yet another serious security breach following last month’s discovery of CVE-2024-55591, which similarly enabled unauthorized access through the Node.js WebSocket module.

The ongoing campaign, reported by Arctic Wolf Labs, has been exploiting these vulnerabilities since mid-November 2024, with attackers leveraging exposed firewall management interfaces to infiltrate enterprise networks. Organizations using vulnerable Fortinet devices are strongly urged to disable public-facing management access immediately and apply security patches as soon as they become available.

the Attack

  • Fortinet has identified CVE-2025-24472, an authentication bypass vulnerability affecting FortiOS and FortiProxy, allowing attackers to gain super-admin privileges.
  • The exploit impacts FortiOS 7.0.0–7.0.16, FortiProxy 7.0.0–7.0.19, and FortiProxy 7.2.0–7.2.12.
  • Threat actors are using this zero-day to create rogue admin accounts, modify firewall policies, and access SSL VPN instances.
  • Arctic Wolf Labs confirmed attacks targeting Internet-exposed firewall management interfaces since mid-November 2024.
  • The attack campaign follows a four-phase pattern: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement.
  • Arctic Wolf Labs notified Fortinet on December 12, 2024, and the company’s PSIRT team confirmed they were investigating the attacks.
  • Fortinet advises disabling HTTP/HTTPS administrative interfaces or restricting access via IP filtering as a temporary workaround.

What Undercode Says: A Deeper Look at the Fortinet Exploit

1. The Rise of Authentication Bypass Attacks

Authentication bypass vulnerabilities have become one of the most exploited attack vectors in recent years. Threat actors target these flaws because they allow privileged access without requiring credentials, making them perfect for gaining persistent control over systems. The fact that two Fortinet zero-days have been exploited within months raises serious concerns about the security of firewall management interfaces.

2. The Growing Risks of Internet-Exposed Firewalls

One of the most alarming aspects of this attack is its reliance on exposed firewall management interfaces. Many organizations still leave these interfaces open to the internet, significantly increasing their attack surface. Threat actors actively scan for vulnerable devices, and once access is obtained, they establish rogue admin accounts and manipulate firewall configurations to maintain control.

3. Similarities with Past Fortinet Exploits

This is not the first time Fortinet products have been targeted. Previous incidents, such as CVE-2022-40684, also allowed attackers to bypass authentication and create unauthorized admin users. The repetitive nature of these exploits suggests a need for Fortinet to reevaluate its security architecture and implement stronger authentication mechanisms beyond simple administrative login protections.

4. The Multi-Phase Attack Strategy

Arctic Wolf Labs’ breakdown of the attack into four distinct phases provides valuable insight into how sophisticated threat actors operate:

  • Vulnerability Scanning (Nov 16–23, 2024): Attackers identify exposed Fortinet devices.
  • Reconnaissance (Nov 22–27, 2024): They gather intelligence on network configurations and potential weaknesses.
  • SSL VPN Configuration (Dec 4–7, 2024): Rogue accounts are created, and SSL VPN access is established.
  • Lateral Movement (Dec 16–27, 2024): Attackers expand their foothold inside the internal network.

This methodical approach demonstrates advanced persistent threat (APT)-like behavior, where attackers aim for long-term access rather than one-time breaches.

5. The Importance of Timely Patch Management

While Fortinet is actively investigating and releasing patches, history shows that many organizations delay updating critical security patches, leaving them exposed for extended periods. Security teams must prioritize immediate patching of Fortinet devices and ensure that administrative access is never exposed to the internet.

6. The Role of Threat Intelligence in Defense

Arctic Wolf Labs’ ability to identify and analyze these attacks early is a testament to the importance of threat intelligence in modern cybersecurity. Organizations must leverage such intelligence to stay ahead of attackers by:

  • Monitoring Indicators of Compromise (IOCs) and blocking suspicious activity.
  • Deploying proactive detection mechanisms to spot unauthorized admin account creation.
  • Implementing Zero Trust principles, ensuring least-privilege access across all critical systems.

7. What This Means for Enterprises

For enterprises using Fortinet firewalls, this is a wake-up call to review their security policies immediately. The following steps should be taken:

  • Disable internet-exposed firewall management interfaces or restrict access to trusted IPs.
  • Apply Fortinet’s security updates as soon as they become available.

– Monitor firewall logs for unauthorized administrative actions.

  • Use multi-factor authentication (MFA) where possible to strengthen authentication.

Conclusion: A Critical Moment for Fortinet Security

The CVE-2025-24472 exploit underscores the persistent threats facing enterprise firewalls. Fortinet users must act quickly to mitigate risks, apply patches, and tighten security controls. With attackers demonstrating sophisticated, multi-phase attack strategies, businesses cannot afford to be reactive. Instead, a proactive cybersecurity approach, combining patch management, access restrictions, and continuous monitoring, is essential to defending against such evolving threats.

References:

Reported By: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-zero-day-exploited-to-hijack-firewalls/
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Explore More: