April 20, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Intel Products Vulnerabilities
March 19, 2025DocSwap Malware Masquerades as Security Document Viewer to Target Android Users Globally – Active IOCs
March 19, 2025Multiple Intel Products Vulnerabilities
March 19, 2025DocSwap Malware Masquerades as Security Document Viewer to Target Android Users Globally – Active IOCs
March 19, 2025
Severity
High
Analysis Summary
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an actively exploited authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy systems. Tracked as CVE-2025-24472 and classified under CWE-288, the vulnerability allows remote attackers to gain super-admin privileges through crafted CSF proxy requests without user interaction. With a CVSS score of 8.1, this high-severity flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to its exploitation in ransomware campaigns, posing a serious threat to affected organizations.
The vulnerability affects FortiOS versions 7.0.0 through 7.0.16, FortiProxy versions 7.0.0 through 7.0.19, and FortiProxy versions 7.2.0 through 7.2.12. If successfully exploited, attackers could gain full administrative control, allowing them to create rogue admin accounts, modify firewall policies, and access SSL VPNs to infiltrate internal networks. The ability to manipulate security controls and establish persistent access makes this vulnerability particularly dangerous, especially in targeted ransomware attacks.
To mitigate the risk, CISA urges organizations to follow vendor instructions, apply patches, or discontinue use if updates are unavailable. Fortinet has released fixes in FortiOS 7.0.17 and later, as well as FortiProxy 7.0.20/7.2.13. For entities unable to patch immediately, temporary measures include disabling the HTTP/HTTPS administrative interface and enforcing IP-based access controls through local-in policies. Security teams should also monitor for suspicious administrative logins via “jsconsole” or unexpected admin account creation.
As part of a proactive defense strategy, organizations should integrate the KEV catalog into their vulnerability management processes, prioritizing remediation efforts to minimize exposure. Continuous monitoring, log analysis, and strict access control policies will help reduce the likelihood of exploitation. Given the active abuse of this flaw, cybersecurity teams must act swiftly to prevent unauthorized access and potential ransomware infections.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-24472
Affected Vendors
- Fortinet
Affected Products
- Fortinet FortiOS - 7.0.0
- Fortinet FortiProxy - 7.2.0 - 7.0.0
Remediation
Upgrade to the latest version, available from the Fortiguard Website.
