Emerging Threats in Fortinet Firewalls: Authentication Bypass Vulnerabilities
Recent disclosures from Fortinet have highlighted critical vulnerabilities in their FortiOS and FortiProxy products, specifically CVE-2025-24472 and CVE-2024-55591. These vulnerabilities allow remote attackers to gain super-admin privileges through maliciously crafted CSF proxy requests and Node.js websocket module exploits, respectively. The affected versions include FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.0.0 through 7.0.19, with patches available in later versions. Although Fortinet has patched these vulnerabilities, they were actively exploited in the wild, emphasizing the need for immediate action.
The exploitation of these vulnerabilities has been linked to unauthorized administrative access and configuration changes on Fortinet firewalls, as reported by Arctic Wolf Labs. Their investigation revealed a campaign involving multiple phases, including vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement, dating back to November 2024. This campaign underscores the persistent threat posed by exposed management interfaces on firewalls.
Organizations using Fortinet products are advised to urgently update their systems to the latest versions to mitigate these risks. For those unable to apply updates immediately, disabling HTTP/HTTPS administrative interfaces or restricting IP access is recommended as a temporary measure. The ongoing threat landscape necessitates vigilance and proactive security measures to protect enterprise networks from potential breaches. Additionally, if there is any indication or suspicion of the vulnerability having been exploited, it is advisable to perform a breach assessment for the environment the Fortinet equipment resides in.
Threats and Vulnerabilities
The authentication bypass vulnerability CVE-2025-24472 in FortiOS and FortiProxy allows attackers to gain super-admin privileges by exploiting CSF proxy requests. This flaw affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19, with patches available in subsequent releases. Successful exploitation can lead to unauthorized access and control over network configurations.
CVE-2024-55591, another critical vulnerability in the same Fortinet products, involves exploiting the Node.js websocket module to create rogue admin accounts and modify firewall policies. This vulnerability has been actively exploited since mid-November 2024, with attackers leveraging it to infiltrate enterprise networks via SSL VPNs.
Arctic Wolf Labs' report on the exploitation campaign highlights the adversary’s use of jsconsole across various intrusions, suggesting coordinated efforts by multiple threat actors. The campaign's timeline indicates a structured approach to exploiting these vulnerabilities, with distinct phases of scanning, reconnaissance, configuration, and lateral movement.
Client Impact
Clients using affected Fortinet products may face significant operational disruptions due to unauthorized access and control over their network configurations. The creation of rogue admin accounts and modification of firewall policies can lead to data breaches, financial losses, and reputational damage. Additionally, organizations may encounter regulatory compliance challenges if sensitive data is compromised.
Compliance implications are particularly concerning as unauthorized access could trigger audits or penalties under data protection regulations such as GDPR or CCPA. Organizations must assess their exposure to these vulnerabilities and take immediate steps to secure their systems to avoid potential legal repercussions.
Mitigations
To mitigate the identified risks, clients should consider the following actions:
- Update all FortiOS and FortiProxy systems to the latest patched versions to address CVE-2025-24472 and CVE-2024-55591
- Disable HTTP/HTTPS administrative interfaces on public-facing firewalls or restrict access to trusted IP addresses as a temporary workaround.
- Conduct a thorough review of firewall configurations and user accounts to identify any unauthorized changes or rogue accounts.
- Implement network segmentation to limit lateral movement within the network in case of a breach.
- Regularly monitor network traffic for indicators of compromise (IOCs) associated with these vulnerabilities.
- Engage in continuous security awareness training for IT staff to recognize and respond to potential threats.
By taking these steps, organizations can reduce their risk exposure and enhance their overall security posture. It is crucial for clients to remain vigilant and proactive in addressing emerging threats, ensuring that their systems are protected against potential exploits.
1898 & Co. Response
1898 & Co is actively addressing the current threat landscape by offering specialized services designed to mitigate risks associated with Fortinet vulnerabilities. Our team provides tailored security assessments and patch management solutions to help clients secure their systems against known exploits.
We have updated our security protocols to incorporate the latest threat intelligence and best practices for managing firewall vulnerabilities. Our collaborative efforts with industry experts enable us to deliver timely insights and recommendations to our clients.
Ongoing research and threat intelligence gathering activities are central to our approach, ensuring that we remain at the forefront of emerging cybersecurity challenges. We strive to provide clients with actionable guidance and support in navigating complex security environments.