CVE-2025-24472 Overview
CVE-2025-24472 is an authentication bypass vulnerability [CWE-288] affecting Fortinet FortiOS and FortiProxy. The flaw lets a remote unauthenticated attacker gain super-admin privileges on a downstream device through crafted Cluster Synchronization Framework (CSF) proxy requests. Exploitation requires the Security Fabric feature to be enabled and prior knowledge of upstream and downstream device serial numbers. CISA added CVE-2025-24472 to its Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild abuse against exposed Fortinet appliances. The vulnerability impacts perimeter security devices, making successful exploitation a direct route to full network compromise.
Critical Impact
Unauthenticated attackers can obtain super-admin access to FortiOS and FortiProxy devices through crafted CSF proxy requests when Security Fabric is enabled.
Affected Products
- Fortinet FortiOS 7.0.0 through 7.0.16
- Fortinet FortiProxy 7.2.0 through 7.2.12
- Fortinet FortiProxy 7.0.0 through 7.0.19
Discovery Timeline
- 2025-02-11 - CVE-2025-24472 published to the National Vulnerability Database
- 2025-02-11 - Fortinet PSIRT advisory FG-IR-24-535 released
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2025-24472
Vulnerability Analysis
The vulnerability resides in the Cluster Synchronization Framework (CSF) used to coordinate Security Fabric members. CSF allows upstream and downstream Fortinet devices to relay administrative requests using device serial numbers as routing identifiers. The flaw enables an attacker to forge proxy requests that bypass authentication enforcement on the receiving downstream device. A successful request is processed in a super-admin context without valid credentials. Attackers reaching the management interface can create administrative accounts, modify firewall policies, establish VPN tunnels, and pivot deeper into the protected network. Because the affected products are network security appliances, an authentication bypass converts the device into an attacker foothold at the network perimeter.
Root Cause
The root cause is improper validation of the authentication channel for CSF proxy traffic. FortiOS and FortiProxy treat requests received over the CSF channel as trusted when the requester supplies the correct upstream and downstream serial numbers. Serial numbers are not authentication secrets and can be discovered, leaked, or guessed. The implementation conflates identity assertion with authentication, satisfying the conditions of CWE-288: Authentication Bypass Using an Alternate Path or Channel.
Attack Vector
Exploitation occurs over the network and requires no user interaction or prior credentials. The attacker must reach the device interface exposing CSF and know the serial numbers of both the upstream and downstream Security Fabric members. Refer to the Fortinet PSIRT Advisory FG-IR-24-535 for protocol-level details and indicators.
Detection Methods for CVE-2025-24472
Indicators of Compromise
- Unexpected creation of administrator accounts, particularly with super-admin privileges, in FortiOS or FortiProxy audit logs.
- Inbound connections to the CSF management port from untrusted source addresses or outside the Security Fabric topology.
- New or modified firewall policies, SSL-VPN portals, or local user objects with no corresponding change-management record.
- Configuration changes attributed to administrative sessions lacking a preceding successful login event.
Detection Strategies
- Correlate Fortinet event logs for admin creation events with the absence of paired authentication success entries.
- Monitor for HTTP/HTTPS requests to management endpoints carrying CSF proxy headers from sources outside the trusted fabric.
- Baseline serial-number references in CSF traffic and alert on requests citing serials that do not match the enrolled fabric members.
Monitoring Recommendations
- Forward FortiOS and FortiProxy syslog to a central data lake or SIEM with retention sufficient for retroactive hunts.
- Enable verbose logging for system admin, system csf, and HTTPS administrative access categories.
- Alert on configuration backups, scripted CLI exports, and policy bulk changes occurring outside maintenance windows.
How to Mitigate CVE-2025-24472
Immediate Actions Required
- Upgrade FortiOS and FortiProxy to the fixed versions listed in Fortinet PSIRT advisory FG-IR-24-535.
- Restrict administrative and CSF interfaces to dedicated management networks and trusted source addresses only.
- Audit administrator accounts, API tokens, and local users; remove any unrecognized entries.
- Rotate credentials and review SSL-VPN, IPsec, and policy configurations for unauthorized modifications.
Patch Information
Fortinet has released fixed builds for affected FortiOS 7.0.x and FortiProxy 7.0.x and 7.2.x branches. Apply the versions specified in the Fortinet PSIRT Advisory FG-IR-24-535. CVE-2025-24472 is listed in the CISA Known Exploited Vulnerabilities Catalog, which mandates remediation for U.S. federal agencies under BOD 22-01.
Workarounds
- Disable the Security Fabric (config system csf) on devices where it is not required for operations.
- Limit access to HTTP/HTTPS administrative services using trusthost entries and dedicated management VLANs.
- Place management interfaces behind a VPN or jump host and block exposure to the public internet.
# Restrict administrative access to trusted management hosts
config system admin
edit "admin"
set trusthost1 10.10.10.0 255.255.255.0
next
end
# Disable Security Fabric if not in use
config system csf
set status disable
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
