A critical vulnerability affecting Fortinet’s FortiOS and FortiProxy systems has been identified, allowing attackers to bypass authentication and gain super-admin privileges.
The flaw, classified as an “Authentication Bypass Using an Alternate Path or Channel” (CWE-288), has been assigned CVE-2024-55591 and CVE-2025-24472 with a CVSSv3 severity score of 9.6.
Exploitation of this vulnerability could enable unauthorized access, allowing attackers to execute arbitrary commands or modify system configurations.
Reports confirm that this vulnerability is actively being exploited in the wild. The vulnerability impacts specific versions of FortiOS and FortiProxy.
For FortiOS, versions 7.0.0 through 7.0.16 are affected, with users advised to upgrade to version 7.0.17 or later.
Similarly, for FortiProxy, versions 7.2.0 through 7.2.12 and 7.0.0 through 7.0.19 are vulnerable, requiring upgrades to versions 7.2.13 or 7.0.20 and above, respectively.
Other versions, including FortiOS 7.6 and 6.4, as well as FortiProxy 7.6 and 2.0, are not affected by the issue.
Indicators of Compromise
The exploitation involves crafted requests targeting the Node.js WebSocket module or CSF proxy requests, enabling attackers to create super-admin accounts on affected devices without proper authentication checks.
Observed attack patterns include the creation of local user accounts with random usernames, modification of firewall policies, and establishment of SSL VPN tunnels for internal network access.
Log entries indicating suspicious activity include successful admin logins via “jsconsole” with random script parameters and the creation of admin accounts with seemingly arbitrary usernames such as “Gujhmk” or “Ed8x4k.”
Additionally, IP addresses like 45.55.158.47 and 87.249.138.47 have been associated with these attacks, although the provided IPs are often arbitrarily generated by attackers.
Mitigation
Fortinet recommends immediate action to mitigate risks associated with this vulnerability.
Administrators should upgrade affected systems to secure versions as outlined in the advisory documentation using Fortinet’s upgrade tool.
As a temporary workaround, disabling HTTP/HTTPS administrative interfaces or restricting access to trusted IP addresses via local-in policies can reduce exposure.
Further recommendations include disabling the Security Fabric feature through CLI commands (config system csf; set status disable; end) and ensuring all admin accounts use non-standard usernames that are difficult to guess to limit brute-force attempts.
Fortinet emphasizes that while these measures reduce risk, upgrading to patched firmware remains the most effective solution for addressing this critical issue.
Fortinet credited Sonny from watchTowr for responsibly disclosing the CSF-related vulnerability and provided updates on mitigation strategies over time, including clarifications on attack parameters and best practices for securing administrative interfaces.
This vulnerability underscores the importance of proactive patch management and vigilance against emerging threats targeting critical infrastructure components like firewalls and proxies in enterprise environments.
