Fortinet FortiOS & FortiProxy Zero-Day Exploited to Hijack Firewall & Gain Super Admin Access

Cybersecurity firm Fortinet has issued an urgent warning regarding a newly discovered zero-day authentication bypass vulnerability (CVE-2025-24472) affecting its FortiOS and FortiProxy products.

This critical flaw enables remote attackers to obtain super-admin privileges by exploiting maliciously crafted CSF proxy requests.

The vulnerability impacts FortiOS versions 7.0.0 through 7.0.16, as well as FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The flaw has reportedly been exploited in the wild, allowing attackers to hijack Fortinet firewalls and infiltrate enterprise networks.

Fortinet 0-Day Vulnerability Exploitation

According to Fortinet, attackers have been observed leveraging the vulnerability to create rogue administrator or local user accounts on compromised devices.

These accounts are then used to modify firewall policies and gain access to SSL VPN user groups, enabling unauthorized tunneling into internal corporate networks.

Fortinet explained, “An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js websocket module or via crafted CSF proxy requests.”

This disclosure follows a previous advisory regarding another zero-day vulnerability (CVE-2024-55591), which also permitted attackers to gain super-admin privileges through targeted malicious requests exploiting the Node.js websocket module.

Cybersecurity firm Arctic Wolf has identified indicators of compromise (IOCs) linked to these vulnerabilities, confirming that attackers have been targeting internet-exposed management interfaces on Fortinet devices since mid-November 2024.

Their analysis reveals a structured attack campaign with multiple phases: Vulnerability Scanning (November 16-23), Reconnaissance (November 22-27), SSL VPN Configuration (December 4-7), and Lateral Movement (December 16-27).

Arctic Wolf observed unauthorized administrative logins, new account creations, and configuration modifications across multiple victim organizations.

“The campaign involved unauthorized administrative logins on firewall management interfaces, the creation of new accounts, SSL VPN authentication via those accounts, and various other configuration changes,” the firm stated.

Mitigation and Security Recommendations

Fortinet has rolled out critical security updates to address the vulnerability and is urging administrators to apply patches to affected devices immediately:

• Upgrade FortiOS to version 7.0.17 or higher
• Upgrade FortiProxy to version 7.2.13 or higher (or 7.0.20 for earlier branches)

For organizations unable to patch immediately, Fortinet strongly recommends disabling HTTP/HTTPS administrative interfaces or restricting access to trusted IP addresses using local-in policies.

“While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organizations should urgently disable firewall management access on public interfaces as soon as possible,” Fortinet advised.

Enterprises using affected versions must act swiftly to mitigate risks by applying patches or implementing the recommended workarounds. Additionally, security teams should monitor network activity for anomalies and review logs for any signs of unauthorized access.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!