New Critical Vulnerability in Fortinet Systems Allows Attackers to Take Over Firewalls and Gain Super Admin Privileges

Another dangerous vulnerability has been discovered in the world of cybersecurity. Fortinet, one of the leading cybersecurity companies, has confirmed the discovery of a new critical authentication bypass vulnerability (CVE-2025-24472) in its FortiOS and FortiProxy products, which has already been exploited by attackers. This vulnerability allows threat actors to obtain super admin privileges by sending specially crafted CSF proxy requests.

The vulnerability affects FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12.

Fortinet has urgently released security updates to mitigate this critical vulnerability and strongly recommends that all users install the necessary patches immediately.

According to reports, attackers are already exploiting this vulnerability, gaining unauthorized access to corporate networks and taking control of Fortinet firewalls.

With this vulnerability, cybercriminals can:

🔴 Create unauthorized admin and local user accounts.
🔴 Modify and manipulate firewall security policies.
🔴 Add attacker-created accounts to SSL VPN user groups.
🔴 Establish hidden tunnels to gain access to internal networks.

Fortinet has stated that the vulnerability is exploited through malicious Node.js WebSocket module requests or CSF proxy requests.

Previously, Fortinet had disclosed another zero-day vulnerability (CVE-2024-55591), which also affected the Node.js WebSocket module and allowed attackers to gain super admin privileges through crafted requests.

Research shows that attackers follow a step-by-step attack strategy. According to reports from Arctic Wolf, the attack consists of four main stages:

1️⃣ Vulnerability Scanning (November 16–23, 2024): Attackers scan the internet for exposed Fortinet devices.

2️⃣ Reconnaissance (November 22–27, 2024): Further investigation is conducted on identified systems.

3️⃣ SSL VPN Configuration (December 4–7, 2024): Attackers modify the VPN configuration to create backdoors.

4️⃣ Lateral Movement (December 16–27, 2024): Attackers move within the internal network and steal sensitive data.

This step-by-step strategy allows attackers to infiltrate corporate networks without raising alarms and take control of internal infrastructure.

Fortinet strongly advises users to take the following precautionary measures:

✅ Update FortiOS to version 7.0.17 or higher.
✅ Update FortiProxy to version 7.2.13 or higher (or 7.0.20 for earlier versions).
✅ If immediate updates are not possible, disable HTTP/HTTPS admin interfaces or restrict access to trusted IP addresses only.
✅ Limit public internet access to firewall management interfaces.
✅ Monitor logs and network activity for unusual behavior.

Fortinet also recommends checking for signs of exploitation, such as newly created admin accounts, unexpected configuration changes, and suspicious SSL VPN activity.

Attacks targeting the CVE-2025-24472 vulnerability continue, posing a serious threat to Fortinet users. Organizations using vulnerable Fortinet systems must immediately update their systems or implement recommended security measures.

Every cybersecurity vulnerability provides new opportunities for attackers. Organizations must regularly audit their systems, enforce strong security policies, and keep their software up to date to minimize risks and prevent cyberattacks.

This incident once again highlights the critical importance of securing IT infrastructure and restricting internet exposure of sensitive systems.