Back to KEVs

CVE-2025-24472

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 21, 2025
Published Date
February 11, 2025
Last Updated
August 07, 2025
Vendor
Fortinet
Product
FortiProxy, FortiOS
Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.
Tags
ios cisa malware ransomware edge

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:X/RC:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-03-18 00:00:00 UTC) Source
Used in Malware
Yes (added 2025-03-18 00:00:00 UTC) Source

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-03-18 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel