Comprehensive Analysis of Fortinet Authentication Bypass Vulnerability (CVE-2025-24472)

This report provides an in-depth examination of CVE-2025-24472, a critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products. The flaw allows unauthenticated remote attackers to gain super-admin privileges via crafted Cooperative Security Fabric (CSF) proxy requests. With a CVSS 9.8/10 severity rating and active exploitation in ransomware campaigns, this vulnerability represents a severe threat to network security infrastructure.

Vulnerability Overview and Technical Analysis

Root Cause and Attack Mechanism
CVE-2025-24472 stems from a missing authentication check in the CSF proxy request handling mechanism. Specifically, the vulnerability exists due to inadequate session validation when processing HTTP/HTTPS requests to the Node.js websocket module. Attackers can forge malicious CSF proxy requests containing spoofed authentication tokens, which the system accepts without proper cryptographic validation. This bypass occurs because the getAdminSession() function fails to verify the local_access_token parameter, allowing arbitrary privilege escalation.

Exploitation requires no credentials or user interaction, enabling attackers to:

1. Send crafted HTTP/S requests to vulnerable FortiOS/FortiProxy instances.
2. Inject forged session tokens impersonating legitimate administrators.
3. Execute arbitrary commands with super-admin privileges directly through the CLI interface.

Affected Product Matrix
| Product | Vulnerable Versions | Patched Versions |
|——————|————————–|———————-|
| FortiOS | 7.0.0 – 7.0.16 | 7.0.17+ |
| FortiProxy | 7.0.0 – 7.0.19 | 7.0.20+ |
| FortiProxy | 7.2.0 – 7.2.12 | 7.2.13+ |

Fortinet confirmed the vulnerability affects only configurations using ASCII authentication; PAP, MSCHAP, and CHAP implementations remain unaffected. The attack surface is particularly severe because compromised firewalls provide threat actors with persistent network access and data exfiltration capabilities.

Threat Intelligence and Active Exploitation

Ransomware Campaigns
Since January 2025, the Mora_001 ransomware group (tied to LockBit operations) has weaponized CVE-2025-24472 in tandem with CVE-2024-55591 to deploy “SuperBlack” ransomware. Attack patterns observed between January–March 2025 demonstrate:

1. Initial Access: Exploitation of internet-exposed FortiGate firewalls within 24 hours of vulnerability disclosure.
2. Lateral Movement: Creation of privileged accounts with randomly generated usernames (e.g., Gujhmk, Ed8x4k) for persistent access.
3. Payload Delivery: Deployment of SuperBlack ransomware within 48 hours of initial compromise, exfiltrating data via SSL-VPN tunnels.

Exploitation Metrics

1. EPSS Score: 7.27% probability of exploitation within 30 days.
2. CISA Confirmation: Added to Known Exploited Vulnerabilities (KEV) catalog on March 18, 2025, with remediation deadlines for federal agencies by April 8, 2025.
3. Attack Volume: Forescout observed 28.3% of vulnerable systems compromised within 24 hours of disclosure during peak campaign activity.

Vendor and Industry Response

Patch Development Timeline

timeline

title Patch Development Timeline
date 2025-01-14 : Vulnerability reported
date 2025-01-24 : Initial patch released (v7.0.17/7.2.7/7.4.3)
date 2025-02-11 : CVE-2025-24472 assigned

date 2025-03-18 : CISA KEV catalog inclusion

Fortinet clarified that CVE-2025-24472 was silently patched in January 2024 alongside CVE-2024-55591, contradicting initial zero-day reports. The confusion arose because both vulnerabilities:

1. Affect identical product versions.
2. Exploit similar attack vectors (CSF proxy/Node.js modules).
3. Were addressed in the same patch bundles.

Mitigation Guidance
For unpatched systems, Fortinet recommends:

1. Disabling HTTP/HTTPS administrative interfaces.
2. Restricting management access to trusted IP addresses.
3. Implementing zero-trust network segmentation for firewall management zones.

Detection Methods and Indicators of Compromise

Indicators of Compromise (IoCs)

1. IP Addresses: 45.55.158.47, 87.249.138.47, 155.133.4.175.
2. User Accounts: Randomly generated admin usernames containing 6-8 alphanumeric characters.
3. Network Signatures: HTTP requests containing local_access_token parameter without valid session cookies.

YARA Detection Rule

rule Fortinet_CVE_2025_24472_Exploit {

meta:
description = "Detects CSF proxy exploit attempts"
reference = "FG-IR-24-535"
strings:
$s1 = "local_access_token" nocase
$s2 = "/api/v2/monitor/vpn/ssl" nocase
$s3 = "exec" nocase
condition:
all of them

}

SIEM Query for Splunk

index=firewall (http_uri="/api/v2/monitor/vpn/ssl" OR http_uri="/ws/cli/")

| search http_method="POST"

| stats count by src_ip, http_user_agent, http_uri

Mitigation and Hardening

Beyond Patching

1. Network Segmentation: Isolate Fortinet management interfaces from internet access using VLANs or physical air-gapping.
2. Access Controls: Implement RADIUS/TACACS+ authentication with MFA for administrative roles, avoiding local-only credentials.
3. Logging Enhancements: Enable detailed CSF proxy and CLI command logging with SIEM integration for anomalous privilege escalation detection.

Compensating Controls

1. Firewall Policies: Block inbound traffic to TCP ports 80/443 for management interfaces.
2. Intrusion Prevention: Deploy signatures for CSF proxy request anomalies (e.g., unusually large local_access_token values).
3. Behavioral Monitoring: Alert on CLI commands like config system admin or execute formatlog from external IPs.

Related Vulnerabilities and Attack Context

Chained Exploitation
Mora_001 operators combined CVE-2025-24472 with CVE-2024-55591 (older FortiOS auth bypass) to:

1. Bypass perimeter defenses using CVE-2025-24472.
2. Disable logging via CVE-2024-55591.
3. Establish SSL-VPN tunnels for ransomware deployment.

This pattern highlights the critical need for comprehensive patch management rather than isolated vulnerability remediation.

Historical Context
Fortinet products face recurrent authentication bypass flaws:

1. CVE-2024-55591: Node.js websocket module exploit (Jan 2025).
2. CVE-2025-0282: TACACS+ credential bypass (May 2025).

These reflect systemic weaknesses in session validation architectures, suggesting broader codebase audits are essential.

Conclusion and Strategic Recommendations

CVE-2025-24472 exemplifies the critical risks in network infrastructure devices, enabling complete network compromise without authentication. The Mora_001 ransomware campaign demonstrates sophisticated weaponization of vulnerabilities within hours of disclosure, with ongoing attacks despite vendor patches.

Critical Actions

1. Immediate Patching: Upgrade to FortiOS 7.0.17+/FortiProxy 7.0.20+/7.2.13+ before CISA’s April 8, 2025 deadline.
2. Compromise Assessment: Search for randomly-named admin accounts ([a-z0-9]{8}) and outbound connections to 45.55.158.47.
3. Defense-in-Depth: Combine network segmentation, MFA-enforced access controls, and behavior-based detection to mitigate unpatched vulnerabilities.

Organizations should prioritize continuous vulnerability scanning for internet-exposed Fortinet devices and integrate threat intelligence feeds tracking Mora_001 TTPs. As ransomware groups increasingly target network appliances, proactive hardening of security infrastructure becomes non-negotiable for enterprise defense.

Future Research Directions

1. Analysis of firmware differences between vulnerable and patched versions to identify root cause fixes.
2. Development of exploit-prevention signatures for legacy FortiOS versions.
3. Economic impact assessment of cross-industry ransomware campaigns exploiting network infrastructure vulnerabilities.