Cyber Resilience

CVE-2025-24472

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 11 February 2025

Published
11 February 2025
Modified
24 October 2025
KEV Added
18 March 2025
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1043 93.4th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24472 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-24472 is an authentication bypass vulnerability (CWE-288) that affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.2.0 through 7.2.12 as well as 7.0.0 through 7.0.19. When the Security Fabric feature is enabled, the flaw permits a remote attacker to reach a downstream device through crafted CSF proxy requests that abuse an alternate path, ultimately obtaining super-admin privileges without presenting valid credentials.

An unauthenticated attacker who already knows the serial numbers of both upstream and downstream devices in a Security Fabric topology can exploit the issue over the network. Successful exploitation grants full administrative control of the downstream FortiOS or FortiProxy system, allowing arbitrary configuration changes, data access, or further lateral movement within the fabric.

The Fortinet advisory FG-IR-24-535 and the CISA Known Exploited Vulnerabilities catalog both reference the issue and direct administrators to apply the vendor-supplied patches. The current and peak EPSS scores are identical at 0.1043, indicating no material post-disclosure rise in exploitation probability.

EU & UK References

Vulnerability details

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers…

more

to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.

CWE(s)
KEV Date Added
18 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated authentication bypass in FortiOS/FortiProxy (public-facing network security devices) via crafted requests when Security Fabric is enabled, directly enabling exploitation of a public-facing application for initial access and admin privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55591Same product: Fortinet Fortiosboth on KEV
CVE-2024-26009Same product: Fortinet Fortios
CVE-2026-24858Same product: Fortinet Fortiosboth on KEV
CVE-2025-59718Same product: Fortinet Fortiosboth on KEV
CVE-2024-26006Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2024-45324Same product: Fortinet Fortios
CVE-2026-22153Same product: Fortinet Fortios
CVE-2025-25249Same product: Fortinet Fortios

Affected Assets

fortinet
fortiproxy
7.0.0 — 7.0.20 · 7.2.0 — 7.2.13
fortinet
fortios
7.0.0 — 7.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and applying vendor patches for the authentication bypass flaw in FortiOS and FortiProxy Security Fabric.

prevent

Enforces approved information flow policies between upstream and downstream Security Fabric devices, blocking unauthorized alternate paths or channels exploited by crafted CSF proxy requests.

prevent

Validates inputs in CSF proxy requests to prevent processing of crafted packets that bypass authentication using known device serial numbers.

References