CVE-2025-24472

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.0.0 through 7.0.16 FortiProxy versions 7.0.0 through 7.0.19 FortiProxy versions 7.2.0 through 7.2.12

Description A critical authentication bypass issue exists in FortiOS and FortiProxy, potentially allowing a remote, unauthenticated attacker to gain super-admin privileges. This is achieved through crafted CSF proxy requests or exploitation of the Node.js websocket module via an alternate path or channel. The issue is actively being exploited in the wild, with reports linking it to ransomware activity, specifically the SuperBlack ransomware and potential ties to LockBit operations. Approximately 7.1 million services are potentially affected worldwide. The vulnerability allows attackers to bypass authentication mechanisms, potentially leading to full administrative control of the system, modification of firewall configurations, and establishment of SSL VPN tunnels for remote access to internal networks. The vulnerability is related to the handling of proxy requests and the authentication process within the Security Fabric.

Recommendations FortiOS versions prior to 7.0.17 FortiProxy versions prior to 7.2.13 FortiProxy versions prior to 7.0.20