overview

CVE-2025-24472 is a high-severity authentication bypass vulnerability affecting Fortinet's FortiOS and FortiProxy products. This flaw allows remote attackers to gain super-admin privileges by sending specially crafted Cooperative Security Fabric (CSF) proxy requests. The affected versions are: 

  • FortiOS: versions 7.0.0 through 7.0.16 
  • FortiProxy: versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 

Fortinet addressed this vulnerability in January 2024 with the release of the following updates: 

  • FortiOS: versions 7.0.17 and later 
  • FortiProxy: versions 7.0.20, 7.2.13, and later 

Last month, Arctic Wolf confirmed that this vulnerability was under active exploitation and directly observed one campaign that made extensive use of CVE-2025-24472. 

It's important to note that if you have already applied these updates to mitigate CVE-2024-55591, your systems are also protected against CVE-2025-24472. As of now, there are no reports of this vulnerability being actively exploited in the wild.  

For users unable to apply the patches immediately, Fortinet recommends disabling the HTTP/HTTPS administrative interface or restricting access to trusted IP addresses as temporary mitigation measures. 

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 
 

Type 

Indicator 

Log Entry - Admin Login 

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole" 

Log Entry - Admin Account Creation 

type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep" 

IP Address - Observed Source 

45.55.158.47 

IP Address - Observed Source 

87.249.138.47 

IP Address - Observed Source 

155.133.4.175 

IP Address - Observed Source 

37.19.196.65 

IP Address - Observed Source 

149.22.94.37 

Username - Randomly Generated 

Gujhmk 

Username - Randomly Generated 

Ed8x4k 

Username - Randomly Generated 

G0xgey 

Username - Randomly Generated 

Pvnw81 

Username - Randomly Generated 

Alg7c4 

Username - Randomly Generated 

Ypda8a 

Username - Randomly Generated 

Kmi8p4 

Username - Randomly Generated 

1a2n6t 

Username - Randomly Generated 

8ah1t6 

Username - Randomly Generated 

M4ix9f 

 

TTPs TO MONITOR

🔹 Initial Access 

  • T1133 – External Remote Services 
    • Attackers exploit remote administrative interfaces (e.g., HTTP/HTTPS) to gain unauthorized access. 
    • Example: Exploiting the authentication bypass vulnerability in FortiOS to gain admin-level access.

🔹 Persistence 

  • T1078 – Valid Accounts (Privilege Escalation via Admin Access) 
    • Attackers may create new administrator accounts to maintain persistent access. 
    • Example: Observed logs showing attackers creating admin accounts such as "Gujhmk", "Ed8x4k", "G0xgey" after exploiting the vulnerability. 
  • T1098 – Account Manipulation 
    • Attackers modify user permissions or create backdoor accounts to retain long-term control. 

🔹 Defense Evasion 

  • T1562.001 – Impair Defenses: Disable or Modify Tools 
    • Attackers may disable logging, firewall rules, or security policies to evade detection. 
  • T1070.004 – Indicator Removal on Host: File Deletion 
    • Attackers may attempt to clear logs or delete evidence of their presence. 

 

 

additional recommendations + information

Apply Patches Immediately 

Fortinet has released patches to address this authentication bypass vulnerability. Upgrade to the following versions to mitigate the risk: 

  • FortiOS: Upgrade to 7.0.17 or later. 
  • FortiProxy: Upgrade to 7.0.20, 7.2.13, or later. 

If you have already applied patches for CVE-2024-55591, your system is also protected against CVE-2025-24472. 

If you cannot apply patches right away, consider the following temporary mitigations: 

Restrict Administrative Interface Access 

  • Disable HTTP/HTTPS administrative access from the internet. 
  • Restrict admin access to trusted IP addresses (e.g., internal networks or VPN-only access). 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).



 

SUPPORTING DOCUMENTATION

Fortinet discloses second authentication bypass vulnerability 

CVE-2025-24472 Detail 

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls 

Fortinet Advisory 24-535 

 

 
Chat With One of Our Experts



Flash Notice Fortinet Vulnerability Fortinet High-Severity Vulnerability FortiOS FortiProxy authentication bypass vulnerability Blog