Pierluigi Paganini February 11, 2025

Fortinet warned of attacks using a now-patched zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls.

Fortinet warned that threat actors are exploiting a new zero-day vulnerability, tracked as CVE-2025-24472 (CVSS score of 8.1), in FortiOS and FortiProxy to hijack Fortinet firewalls.

The vulnerability is an authentication bypass issue that could allow a remote attacker to gain super-admin privileges by making maliciously crafted CSF proxy requests.

“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.” reads the advisory.

The vulnerability impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet fixed it in FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or above.

Fortinet added this vulnerability to an advisory related to the vulnerability CVE-2024-55591 disclosed in January. The flaw CVE-2024-55591 is an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The flaw could allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.” reads the advisory. “Please note that reports show this is being exploited in the wild.”

Threat actors exploit the flaws to create rogue admin or local users, modify firewall policies, and access SSL VPNs to gain access to internal networks.

Fortinet also provides temporary mitigation for this issue, the company recommends disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach it via local-in policies.

Arctic Wolf researchers recently observed attacks on Fortinet FortiGate firewalls, involving unauthorized logins, account creation, and config changes.

Arctic Wolf states that the present campaign can spit in 4 distinct phases:

1. Vulnerability scanning (November 16, 2024 to November 23, 2024)
2. Reconnaissance (November 22, 2024 to November 27, 2024)
3. SSL VPN configuration (December 4, 2024 to December 7, 2024)
4. Lateral Movement (December 16, 2024 to December 27, 2024)

The company speculates that threat actors likely exploited a zero-day flaw in the targeted systems.

“In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync.” states Arctic Wolf. “While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected.”

Arctic Wolf Labs reported the campaign to Fortinet on Dec 12, 2024, and FortiGuard Labs confirmed awareness and investigation on December 17, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini(SecurityAffairs –hacking, Fortinet)