CVE-2025-24472
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
CVSS
8.1
High
EPSS
3.1%
p86
KEV
YES
Mar 18, 2025
Exploit Today
76
0-100
Published: Feb 11, 2025 · Last modified: Jul 8, 2026 · CWE-288
Product
Fortinet / FortiOS and FortiProxy
Vulnerability
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Added to KEV
Mar 18, 2025
Remediate by
Apr 8, 2025
Known ransomware use
Yes
Summary description
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes
https://fortiguard.fortinet.com/psirt/FG-IR-24-535 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24472
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.