Back to KEVs

CVE-2025-24472

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 21, 2025
Published Date
February 11, 2025
Last Updated
March 18, 2025
Vendor
Fortinet
Product
FortiOS, FortiProxy
Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
Tags
ios cisa malware ransomware edge

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:X/RC:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-03-18 00:00:00 UTC) Source
Used in Malware
Yes (added 2025-03-18 00:00:00 UTC) Source

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-03-18 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel