Fortinet discloses second authentication bypass vulnerability

Fortinet on Tuesday disclosed CVE-2025-24472, another authentication bypass vulnerability in versions of FortiOS and FortiProxy, in an advisory that initially caused confusion in the infosec community.

The new vulnerability was added to the security vendor's advisory for CVE-2024-55591, a similar zero-day vulnerability disclosed and patched last month that affects FortiOS version 7.0.0 through 7.0.16, FortiProxy versions 7.0.0 through 7.0.19, and FortiProxy versions 7.2.0 through 7.2.12. CVE-2024-55591, Fortinet said in its advisory the vulnerability "may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests."

CVE-2025-24472 is described on CVE.org in much the same way, but compared with CVE-2024-55591's critical severity CVSS v3.1 base score of 9.6, the new flaw was given a high severity score of 8.1.

The updated advisory, which tracks both CVEs internally as FG-IR-24-535, states that "reports show this is being exploited in the wild," which initially created confusion among some cybersecurity vendors and news outlets that described CVE-2025-24472 as a zero-day flaw. However, a Fortinet spokesperson told Informa TechTarget that the company has not received reports of CVE-2025-24472 being exploited in the wild yet, despite the language in the advisory.

Patches for both flaws are available now, which is the only current means of mitigation. The advisory includes workarounds, however; a customer can choose to disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface. Instructions for doing so are available as part of the advisory, as are IOCs.

The Fortinet spokesperson said "If the customer upgraded previously based on the guidance in FG-IR-24-535 / CVE-2024-55591 published in January, then they are already protected against the vulnerability." This suggests CVE-2025-24472 was patched in January but not disclosed until Tuesday. Informa TechTarget asked for clarification on this point -- and why the company seemingly decided to delay disclosure -- but Fortinet did not comment.

Regarding the nature of CVE-2025-24472 compared with CVE-2024-55591, the Fortinet spokesperson said CVE-2025-24472 "is only an update to the previous advisory FG-IR-24-535 to include the CVE and acknowledgement," suggesting it is a related issue.

According to a timeline within the updated FG-IR-24-535 advisory, Fortinet added an acknowledgement of a WatchTowr researcher named "Sonny," who is credited with "the CSF related vulnerability under responsible disclosure."

Informa TechTarget asked the vendor for further clarification.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.