CVE-2025-24472

Published: Feb 11, 2025Modified: Oct 24, 2025CISA KEV

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: psirt@fortinet.com (Secondary)

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.

Affected (3)

Products: Fortinet: Fortios, Fortiproxy

2 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 7.0.0 to 7.0.17
Fortinet Fortiproxy	From 7.0.0 to 7.0.20
Fortinet Fortiproxy	From 7.2.0 to 7.2.13

Related CWEs

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (2)

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Source: psirt@fortinet.com

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24472

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.