CVE-2025-24472

What is Fortinet FortiOS and FortiProxy?

Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls — one of the most widely deployed enterprise perimeter security platforms. FortiProxy is Fortinet's web proxy appliance. Both products process unauthenticated traffic at the internet edge, making authentication bypass vulnerabilities particularly high-impact. Fortinet edge devices have been repeatedly exploited by Chinese APT actors (Volt Typhoon, UNC3886) and financially motivated attackers for initial network access.

Overview

CVE-2025-24472 is an authentication bypass vulnerability (CWE-288) in FortiOS and FortiProxy that allows a remote unauthenticated attacker to gain super-administrator privileges via crafted CSF (Collaborative Security Fabric) proxy requests. It is a second bypass path in the same Fortinet management interface as CVE-2024-55591 (patched January 2025), sharing the same advisory ID (FG-IR-24-535) but representing a distinct exploitation vector. Active exploitation targeting enterprise environments for ransomware operations was confirmed before CISA's KEV listing.

Affected Versions

Scope: Only affects devices where the CSF (Security Fabric) proxy feature is enabled and accessible from the internet.

Technical Details

The authentication bypass (CWE-288) exploits an alternate code path in FortiOS's management interface. The CSF (Collaborative Security Fabric) proxy request handler can be reached via a crafted HTTP request that bypasses the normal authentication requirements, granting the requester super-administrator access to the FortiOS management API.

With super-admin access, attackers can:

• Modify firewall rules to allow VPN connections or open ports
• Create new administrator accounts for persistent access
• Export SSL-VPN configurations and certificate keys
• Disable logging and security features
• Pivot to internal network resources accessible through the FortiGate

The High complexity (AC:H) reflects that crafting the CSF proxy bypass requires specific knowledge of the request format, but this knowledge was clearly available to threat actors before the patch.

Discovery

Not publicly attributed. The shared advisory with CVE-2024-55591 suggests Fortinet discovered this bypass during the investigation of the earlier vulnerability.

Exploitation Context

Active exploitation with ransomware deployment was confirmed before the March 18, 2025 CISA KEV listing. The attack pattern follows that of CVE-2024-55591: threat actors used the bypass to create new super-admin accounts or backdoor existing ones, then established SSL-VPN access or deployed malicious firmware to maintain persistent access for ransomware operations.

Fortinet edge devices are a recurring target: CVE-2022-40684 (2022), CVE-2023-27997 (2023), CVE-2024-21762 (2024), CVE-2024-55591 (2025), and this CVE represent a sustained pattern of Fortinet authentication bypass exploitation.

Remediation

1. Apply patches immediately per the version table above. The CISA deadline was April 8, 2025.
2. Disable internet access to the FortiOS management interface — the management GUI/API should never be internet-accessible. Restrict to a dedicated management network.
3. Audit administrator accounts for unexpected new accounts or modified permissions created after February 11, 2025.
4. Review SSL-VPN user configurations for unexpected new users or certificate changes.
5. Check for persistence indicators: modified firmware, unexpected scheduled tasks in FortiOS, new management tunnels.
6. Apply the companion patch for CVE-2024-55591 if not already applied — the same advisory covers both.