A critical vulnerability in Fortinet’s FortiOS and FortiProxy products has been identified, enabling attackers to bypass authentication and gain super-admin access.
The flaw, classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), is actively being exploited in the wild.
This vulnerability allows remote attackers to manipulate Node.js WebSocket modules or craft Cross-Site Forgery (CSF) proxy requests, potentially compromising the integrity of affected systems.
The issue impacts specific versions of FortiOS and FortiProxy.
For FortiOS, versions 7.0.0 through 7.0.16 are vulnerable, with users advised to upgrade to version 7.0.17 or higher.
Similarly, for FortiProxy, versions 7.2.0 through 7.2.12 and 7.0.0 through 7.0.19 are affected, requiring updates to versions 7.2.13 or 7.0.20, respectively.
Attack Patterns
In observed incidents, threat actors have exploited this vulnerability to perform unauthorized actions on compromised devices.
These include creating admin accounts with random usernames, adding local users to SSL VPN groups, modifying firewall settings, and establishing tunnels into internal networks via SSL VPNs.
Key indicators of compromise (IoCs) include unusual login activity logs showing successful admin logins from arbitrary IP addresses such as 1.1.1.1, 127.0.0.1, and others, as well as logs of admin account creation with seemingly random usernames like “Gujhmk” or “Ed8x4k.”
Notably, attackers have also utilized specific IP addresses such as 45.55.158.47 and 87.249.138.47 during these operations.
Administrators are advised not to rely on blocking these IP addresses directly since they are often arbitrarily generated by attackers as parameters rather than actual source IPs.
Mitigation Measures
To mitigate the risk of exploitation, administrators should immediately disable HTTP/HTTPS administrative interfaces or restrict access using local-in policies that limit connections to trusted IP addresses only.
Configuring non-default ports for administrative access and employing non-standard usernames for admin accounts can provide additional layers of protection.
Fortinet also recommends disabling the Security Fabric via the CLI for systems impacted by CSF-related vulnerabilities:
config system csf
set status disable
endWhile these measures reduce exposure, upgrading affected systems to the latest patched versions remains the most effective solution.
The vulnerability has been assigned CVE-2024-55591 and CVE-2025-24472, with a CVSSv3 score of 9.6, indicating its critical severity level due to the potential for unauthorized code execution or command injection.
Fortinet acknowledges Sonny from watchTowr for responsibly disclosing the CSF-related vulnerability and has provided updates addressing this issue as of February 11, 2025.
Organizations using affected Fortinet products should act promptly to secure their systems against this critical threat vector to minimize risks of unauthorized access and potential data breaches.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
