Fortinet discloses second firewall auth bypass patched in January

Update 2/11/25 07:32 PM ET: After publishing our story, Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January.

Furthermore, even though today’s updated advisory indicates that both flaws were exploited in attacks and even includes a workaround for the new CSF proxy requests exploitation pathway, Fortinet says that only CVE-2024-55591 was exploited.

Fortinet told BleepingComputer that if a customer previously upgraded based on the guidance in FG-IR-24-535 / CVE-2024-55591, then they are already protected against the newly disclosed vulnerability.

The title of our story has been updated to reflect this new information, and our original article is below.

Fortinet warned today that attackers are exploiting another now-patched zero-day bug in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

Successful exploitation of this authentication bypass vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. 

The security flaw impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet fixed it in FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or above.

Fortinet added the bug as a new CVE-ID to a security advisory issued last month cautioning customers that threat actors were exploiting a zero-day vulnerability in FortiOS and FortiProxy (tracked as CVE-2024-55591), which affected the same software versions. However, the now-fixed CVE-2024-55591 flaw could be exploited by sending malicious requests to the Node.js websocket module.

According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”

While Fortinet didn’t provide additional information on the campaign, cybersecurity company Arctic Wolf released a report with matching indicators of compromise (IOCs), saying vulnerable Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since at least mid-November.

“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” Arctic Wolf Labs said.

“While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organizations should urgently disable firewall management access on public interfaces as soon as possible.”

Arctic Wolf Labs also provided this timeline for CVE-2024-55591 mass-exploitation attacks, saying it includes four unique phases:

1. Vulnerability scanning (November 16, 2024 to November 23, 2024)
2. Reconnaissance (November 22, 2024 to November 27, 2024)
3. SSL VPN configuration (December 4, 2024 to December 7, 2024)
4. Lateral Movement (December 16, 2024 to December 27, 2024)

“Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board,” it added.

Arctic Wolf Labs added that it notified Fortinet about the attacks on December 12 and received confirmation from the company’s Product Security Incident Response Team (PSIRT) five days later that the activity was known and already under investigation.

Fortinet advised admins who can’t immediately deploy the security updates to secure vulnerable firewalls to disable the HTTP/HTTPS administrative interface or limit the IP addresses that can reach it via local-in policies as a workaround.

BleepingComputer reached out to a Fortinet spokesperson for comment but did not hear back by time of publication.