CVE-2025-24472
Published: 11 February 2025
Summary
CVE-2025-24472 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by identifying, reporting, and applying vendor patches for the authentication bypass flaw in FortiOS and FortiProxy Security Fabric.
Enforces approved information flow policies between upstream and downstream Security Fabric devices, blocking unauthorized alternate paths or channels exploited by crafted CSF proxy requests.
Validates inputs in CSF proxy requests to prevent processing of crafted packets that bypass authentication using known device serial numbers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated authentication bypass in FortiOS/FortiProxy (public-facing network security devices) via crafted requests when Security Fabric is enabled, directly enabling exploitation of a public-facing application for initial access and admin privileges.
NVD Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers…
more
to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.
Deeper analysisAI
CVE-2025-24472 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). It affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.2.0 through 7.2.12 as well as 7.0.0 through 7.0.19.
A remote unauthenticated attacker with prior knowledge of the serial numbers of upstream and downstream devices can exploit the vulnerability if Security Fabric is enabled. By sending crafted CSF proxy requests, the attacker may gain super-admin privileges on the downstream device.
The Fortinet PSIRT advisory provides details on mitigation and patches at https://fortiguard.fortinet.com/psirt/FG-IR-24-535. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24472, indicating active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 18 March 2025