CVE-2025-24472 – This authentication bypass vulnerability in For... (How to Fix)

Q: What is the severity of CVE-2025-24472?

CVE-2025-24472 has a CVSS score of 8.1 (HIGH). This authentication bypass vulnerability in FortiOS and FortiProxy allows remote unauthenticated attackers to gain super-admin privileges on downstream devices when Security Fabric is enabled. Attackers need prior knowledge of upstream and downstream device serial numbers to craft malicious CSF proxy requests. Organizations using affected Fortinet products with Security Fabric enabled are at risk.

📋 TL;DR

This authentication bypass vulnerability in FortiOS and FortiProxy allows remote unauthenticated attackers to gain super-admin privileges on downstream devices when Security Fabric is enabled. Attackers need prior knowledge of upstream and downstream device serial numbers to craft malicious CSF proxy requests. Organizations using affected Fortinet products with Security Fabric enabled are at risk.

💻 Affected Systems

Products:

FortiOS
FortiProxy

Versions: FortiOS 7.0.0-7.0.16, FortiProxy 7.2.0-7.2.12 and 7.0.0-7.0.19

Operating Systems: FortiOS, FortiProxy OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when Security Fabric is enabled. Requires attacker knowledge of device serial numbers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of downstream Fortinet devices with super-admin privileges, enabling data exfiltration, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access to downstream devices, allowing configuration changes, policy manipulation, and credential harvesting.

🟢

If Mitigated

Limited impact if Security Fabric is disabled or devices are isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible if vulnerable devices are internet-facing.

🏢 Internal Only: MEDIUM - Requires attacker to have internal network access or compromised internal device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of device serial numbers, which may be obtained through information disclosure vulnerabilities or reconnaissance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiOS 7.0.17+, FortiProxy 7.2.13+, 7.0.20+

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Restart Required: No

Instructions:

1. Log into FortiGate/FortiProxy admin interface. 2. Navigate to System > Firmware. 3. Download and install latest firmware version. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Disable Security Fabric

all

Temporarily disable Security Fabric feature to prevent exploitation.

config system csf
set status disable
end

Restrict CSF Communication

all

Limit Security Fabric communication to trusted IP addresses only.

config system csf
set upstream-ip <trusted_ip>
end

🧯 If You Can't Patch

Disable Security Fabric feature immediately
Implement network segmentation to isolate Fortinet devices from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check FortiOS/FortiProxy version and Security Fabric status via CLI: 'get system status' and 'diagnose sys csf status'

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is patched: 'get system status' should show FortiOS 7.0.17+ or FortiProxy 7.2.13+/7.0.20+

📡 Detection & Monitoring

Log Indicators:

Unusual CSF proxy requests
Authentication events from unexpected sources
Configuration changes by unknown administrators

Network Indicators:

Anomalous CSF protocol traffic
Unauthorized administrative access attempts

SIEM Query:

source="fortigate" AND (eventtype="csf" OR eventtype="authentication") AND (status="failed" OR user="super_admin")

📊 Metadata

CVE ID: CVE-2025-24472

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-288

EPSS Score: 4.37% exploit probability (88.7th percentile)

CISA KEV: Actively Exploited added Mar 18, 2025

Published: February 11, 2025

Last Updated: October 24, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-24-535 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24472 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24472, you might also want to check these: