CVE-2025-24472 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

Exploit added

March 18, 2025

Action due

April 8, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Weakness Enumeration

CWE-ID	CWE Name
CWE-288	Authentication Bypass Using an Alternate Path or Channel
CWE-306	Missing Authentication for Critical Function

Known Affected Software Configurations

cpe:2.3:a:fortinet:fortiproxy:2.0.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.19:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.12:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.13:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.20:::::::*
cpe:2.3:o:fortinet:fortios:7.4.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.2:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.12:::::::*
cpe:2.3:o:fortinet:fortios:7.4.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.6:::::::*
cpe:2.3:o:fortinet:fortios:7.2.9:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.16:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.13:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.10:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.18:::::::*
cpe:2.3:o:fortinet:fortios:6.0.18:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.13:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.4:::::::*
cpe:2.3:o:fortinet:fortios:7.0.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.17:::::::*
cpe:2.3:o:fortinet:fortios:7.2.8:::::::*
cpe:2.3:o:fortinet:fortios:7.4.1:::::::*
cpe:2.3:o:fortinet:fortios:7.4.3:::::::*
cpe:2.3:o:fortinet:fortios:7.0.13:::::::*
cpe:2.3:o:fortinet:fortios:7.4.2:::::::*
cpe:2.3:o:fortinet:fortios:7.2.6:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.8:::::::*
cpe:2.3:o:fortinet:fortios:7.0.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.3:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.9:::::::*
cpe:2.3:o:fortinet:fortios:6.4.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.14:::::::*
cpe:2.3:o:fortinet:fortios:7.2.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.15:::::::*
cpe:2.3:o:fortinet:fortios:6.2.16:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.1:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.4.0:::::::*
cpe:2.3:o:fortinet:fortios:7.4.0:::::::*
cpe:2.3:o:fortinet:fortios:6.4.14:::::::*
cpe:2.3:o:fortinet:fortios:6.2.15:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.11:::::::*
cpe:2.3:o:fortinet:fortios:7.0.12:::::::*
cpe:2.3:o:fortinet:fortios:7.2.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.10:::::::*
cpe:2.3:o:fortinet:fortios:6.0.17:::::::*
cpe:2.3:o:fortinet:fortios:6.2.14:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.3:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.9:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.12:::::::*
cpe:2.3:o:fortinet:fortios:6.4.13:::::::*
cpe:2.3:o:fortinet:fortios:7.0.11:::::::*
cpe:2.3:o:fortinet:fortios:7.0.10:::::::*
cpe:2.3:o:fortinet:fortios:6.4.12:::::::*
cpe:2.3:o:fortinet:fortios:6.2.13:::::::*
cpe:2.3:o:fortinet:fortios:7.0.9:::::::*
cpe:2.3:o:fortinet:fortios:6.4.11:::::::*
cpe:2.3:o:fortinet:fortios:6.0.16:::::::*
cpe:2.3:o:fortinet:fortios:6.0.15:::::::*
cpe:2.3:o:fortinet:fortios:7.2.3:::::::*
cpe:2.3:o:fortinet:fortios:7.2.4:::::::*
cpe:2.3:o:fortinet:fortios:7.0.8:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.2:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.8:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.1:::::::*
cpe:2.3:o:fortinet:fortios:6.2.12:::::::*
cpe:2.3:o:fortinet:fortios:6.4.10:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.6:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.8:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.9:::::::*
cpe:2.3:a:fortinet:fortiproxy:2.0.10:::::::*
cpe:2.3:a:fortinet:fortiproxy:1.2.12:::::::*
cpe:2.3:a:fortinet:fortiproxy:1.2.13:::::::*
cpe:2.3:o:fortinet:fortios:7.2.2:::::::*
cpe:2.3:o:fortinet:fortios:7.0.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.7:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.3:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.4:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.5:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.6:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.2.0:::::::*
cpe:2.3:o:fortinet:fortios:7.2.1:::::::*
cpe:2.3:o:fortinet:fortios:7.2.0:::::::*
cpe:2.3:o:fortinet:fortios:7.0.5:::::::*
cpe:2.3:o:fortinet:fortios:7.0.6:::::::*
cpe:2.3:o:fortinet:fortios:6.2.11:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.1:::::::*
cpe:2.3:a:fortinet:fortiproxy:7.0.2:::::::*
cpe:2.3:o:fortinet:fortios:7.0.4:::::::*
cpe:2.3:o:fortinet:fortios:7.0.3:::::::*
cpe:2.3:o:fortinet:fortios:6.4.8:::::::*

Details

Source:
NVD

Published:
February 11, 2025

Updated:
March 19, 2025

Risk information

CVSS v3

Base score:
8.1

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined