{"id":2696,"date":"2025-03-19T10:03:33","date_gmt":"2025-03-19T10:03:33","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/03\/19\/cisa-warns-of-fortinet-fortios-authentication-bypass-vulnerability-exploited-in-wild\/"},"modified":"2025-03-19T10:03:33","modified_gmt":"2025-03-19T10:03:33","slug":"cisa-warns-of-fortinet-fortios-authentication-bypass-vulnerability-exploited-in-wild","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/03\/19\/cisa-warns-of-fortinet-fortios-authentication-bypass-vulnerability-exploited-in-wild\/","title":{"rendered":"CISA Warns of Fortinet FortiOS Authentication Bypass Vulnerability Exploited in Wild"},"content":{"rendered":"<p>    CISA Warns of Fortinet FortiOS Authentication Bypass Vulnerability Exploited in Wild<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert highlighting a significant vulnerability in Fortinet\u2019s FortiOS and FortiProxy systems, which threat actors are actively exploiting.<\/p>\n<p>The authentication bypass vulnerability, tracked as <a href=\"https:\/\/cybersecuritynews.com\/superblack-actors-exploiting-two-fortinet-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-24472<\/a>, has been added to CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation in ransomware campaigns.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Fortinet FortiOS Authentication Bypass Vulnerability\u00a0<\/strong><\/h2>\n<p>The high-severity vulnerability, which carries a CVSS score of 8.1, allows remote attackers to gain super-admin privileges through crafted CSF proxy requests without requiring user interaction.\u00a0<\/p>\n<p>\u201cAn Authentication Bypass Using an Alternate Path or Channel vulnerability affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests,\u201d states the <a href=\"https:\/\/cybersecuritynews.com\/superblack-actors-exploiting-two-fortinet-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">Fortinet advisory<\/a>.\u00a0<\/p>\n<p>The vulnerability impacts explicitly FortiOS versions 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12.<\/p>\n<p>Security experts warn that successful exploitation could provide attackers full administrative access to affected systems, including creating rogue admin accounts, modifying firewall policies, and accessing SSL VPNs to penetrate internal networks.\u00a0<\/p>\n<p>This level of access makes the vulnerability particularly dangerous in the context of ransomware operations.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Risk Factors<\/strong><\/td>\n<td><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Affected Products<\/td>\n<td>FortiOS versions 7.0.0 through 7.0.16FortiProxy versions 7.0.0 through 7.0.19FortiProxy versions 7.2.0 through 7.2.12<\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>super-admin privileges<\/td>\n<\/tr>\n<tr>\n<td>Exploit Prerequisites<\/td>\n<td>Remote attack vector (Network-based)Requires crafted Cooperative Security Fabric (CSF) proxy requests<\/td>\n<\/tr>\n<tr>\n<td>CVSS 3.1 Score<\/td>\n<td>8.1 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>Mitigations<\/strong><\/h2>\n<p>CISA is directing organizations to \u201capply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable\u201d.\u00a0<\/p>\n<p>Fortinet has released patches addressing the vulnerability in FortiOS 7.0.17 or above and FortiProxy 7.0.20\/7.2.13 or above.<\/p>\n<p>For organizations unable to immediately patch, temporary mitigation options include disabling the HTTP\/HTTPS administrative interface or implementing IP-based restrictions through local-in policies.\u00a0<\/p>\n<p>Security teams should also monitor logs for suspicious activities, such as unexplained administrative logins from the \u201cjsconsole\u201d interface or the creation of admin accounts with random usernames.<\/p>\n<p>The <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">KEV catalog<\/a>, maintained by CISA, is an authoritative source of vulnerabilities confirmed to be exploited in the wild.\u00a0 CISA strongly recommends all entities prioritize the remediation of listed vulnerabilities to reduce the risk of compromise.<\/p>\n<p>Organizations are advised to use the KEV catalog as a critical input to their vulnerability management prioritization framework, making it an essential component of effective external attack surface management.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 89%,rgb(169,184,195) 100%)\"><strong><strong><code><strong>Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents &amp; get live Access with ANY.RUN -&gt;\u00a0<a href=\"https:\/\/any.run\/demo?utm_source=csn&amp;utm_medium=article&amp;utm_campaign=ti_feeds&amp;utm_content=demo&amp;utm_term=110325\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/cisa-fortinet-fortios-authentication\/\">CISA Warns of Fortinet FortiOS Authentication Bypass Vulnerability Exploited in Wild<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/cisa-fortinet-fortios-authentication\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA Warns of Fortinet FortiOS Authentication Bypass Vulnerability Exploited in Wild The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert highlighting a significant vulnerability in Fortinet\u2019s FortiOS and FortiProxy systems, which threat actors are actively exploiting. The authentication bypass vulnerability, tracked as CVE-2025-24472, has been added to CISA\u2019s Known Exploited Vulnerabilities [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-2696","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2696"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2696"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2696\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}