CVE-2025-24472
Published: 11 February 2025
Summary
CVE-2025-24472 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-24472 is an authentication bypass vulnerability (CWE-288) that affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.2.0 through 7.2.12 as well as 7.0.0 through 7.0.19. When the Security Fabric feature is enabled, the flaw permits a remote attacker to reach a downstream device through crafted CSF proxy requests that abuse an alternate path, ultimately obtaining super-admin privileges without presenting valid credentials.
An unauthenticated attacker who already knows the serial numbers of both upstream and downstream devices in a Security Fabric topology can exploit the issue over the network. Successful exploitation grants full administrative control of the downstream FortiOS or FortiProxy system, allowing arbitrary configuration changes, data access, or further lateral movement within the fabric.
The Fortinet advisory FG-IR-24-535 and the CISA Known Exploited Vulnerabilities catalog both reference the issue and direct administrators to apply the vendor-supplied patches. The current and peak EPSS scores are identical at 0.1043, indicating no material post-disclosure rise in exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3725
Vulnerability details
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers…
more
to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.
- CWE(s)
- KEV Date Added
- 18 March 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated authentication bypass in FortiOS/FortiProxy (public-facing network security devices) via crafted requests when Security Fabric is enabled, directly enabling exploitation of a public-facing application for initial access and admin privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying, reporting, and applying vendor patches for the authentication bypass flaw in FortiOS and FortiProxy Security Fabric.
Enforces approved information flow policies between upstream and downstream Security Fabric devices, blocking unauthorized alternate paths or channels exploited by crafted CSF proxy requests.
Validates inputs in CSF proxy requests to prevent processing of crafted packets that bypass authentication using known device serial numbers.