Flash Notice: CVE-2025-24472 Actively Exploited - Patch and Manage

overview

CVE-2025-24472 is a high-severity authentication bypass vulnerability affecting Fortinet's FortiOS and FortiProxy products. This flaw allows remote attackers to gain super-admin privileges by sending specially crafted Cooperative Security Fabric (CSF) proxy requests. The affected versions are: 

• FortiOS: versions 7.0.0 through 7.0.16 

• FortiProxy: versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 

Fortinet addressed this vulnerability in January 2024 with the release of the following updates: 

• FortiOS: versions 7.0.17 and later 

• FortiProxy: versions 7.0.20, 7.2.13, and later 

Last month, Arctic Wolf confirmed that this vulnerability was under active exploitation and directly observed one campaign that made extensive use of CVE-2025-24472. 

It's important to note that if you have already applied these updates to mitigate CVE-2024-55591, your systems are also protected against CVE-2025-24472. As of now, there are no reports of this vulnerability being actively exploited in the wild.  

For users unable to apply the patches immediately, Fortinet recommends disabling the HTTP/HTTPS administrative interface or restricting access to trusted IP addresses as temporary mitigation measures. 

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

TTPs TO MONITOR

🔹 Initial Access 

• T1133 – External Remote Services 
  • Attackers exploit remote administrative interfaces (e.g., HTTP/HTTPS) to gain unauthorized access. 
  • Example: Exploiting the authentication bypass vulnerability in FortiOS to gain admin-level access.

🔹 Persistence 

• T1078 – Valid Accounts (Privilege Escalation via Admin Access) 
  • Attackers may create new administrator accounts to maintain persistent access. 
  • Example: Observed logs showing attackers creating admin accounts such as "Gujhmk", "Ed8x4k", "G0xgey" after exploiting the vulnerability. 
• T1098 – Account Manipulation 
  • Attackers modify user permissions or create backdoor accounts to retain long-term control. 

🔹 Defense Evasion 

• T1562.001 – Impair Defenses: Disable or Modify Tools 
  • Attackers may disable logging, firewall rules, or security policies to evade detection. 
• T1070.004 – Indicator Removal on Host: File Deletion 
  • Attackers may attempt to clear logs or delete evidence of their presence. 

additional recommendations + information

Apply Patches Immediately 

Fortinet has released patches to address this authentication bypass vulnerability. Upgrade to the following versions to mitigate the risk: 

• FortiOS: Upgrade to 7.0.17 or later. 

• FortiProxy: Upgrade to 7.0.20, 7.2.13, or later. 

If you have already applied patches for CVE-2024-55591, your system is also protected against CVE-2025-24472. 

If you cannot apply patches right away, consider the following temporary mitigations: 

Restrict Administrative Interface Access 

• Disable HTTP/HTTPS administrative access from the internet. 

• Restrict admin access to trusted IP addresses (e.g., internal networks or VPN-only access). 

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
• Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION