CVE-2025-24472: 
FortiOS vulnerability analysis and mitigation

An Authentication Bypass Using an Alternate Path or Channel vulnerability (CVE-2025-24472) affects FortiOS 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The vulnerability was disclosed on February 11, 2025, and allows remote attackers to gain super-admin privileges via crafted CSF proxy requests (Fortinet PSIRT, NVD).

The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and has received a CVSS v3.1 base score of 8.1 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw specifically involves the CSF proxy requests mechanism, which can be exploited to bypass authentication controls (NVD, Fortinet PSIRT).

Successful exploitation of this vulnerability allows remote attackers to gain super-admin privileges on affected devices. Attackers can create admin accounts with random usernames, establish local user accounts, modify firewall policies, and potentially gain access to internal networks through SSL VPN tunnels (Bleeping Computer, Fortinet PSIRT).

Fortinet has released patches in FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or above. For systems that cannot be immediately updated, Fortinet recommends either disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach the administrative interface via local-in policies. Additionally, administrators can disable Security Fabric from the CLI using 'Config system csf Set status disable' (Fortinet PSIRT).

The disclosure of CVE-2025-24472 initially caused confusion in the cybersecurity community due to unclear messaging about its exploitation status. Security researchers emphasized the importance of proper system hardening and noted that similar vulnerabilities have affected other firewall vendors (Bleeping Computer).