Select your country

BelgiumBelgium

ChinaChina

DenmarkDenmark

FranceFrance

GermanyGermany

GlobalGlobal

Maghreb & West AfricaMaghreb & West Africa

NetherlandsNetherlands

NorwayNorway

South AfricaSouth Africa

SwedenSweden

SwitzerlandSwitzerland

United KingdomUnited Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Orange Cyberdefense
  2. Insights
  3. Blog
  4. CERT-News
  5. New Fortinet exploit CVE-2025-24472 disclosed

New Fortinet exploit CVE-2025-24472 disclosed

CERT

Share

Variant vulnerability disclosed plaguing Fortinet products

Summary

Fortinet amended their advisory for FG-IR-24-535 or CVE-2024-55591, an authentication bypass vulnerability, by including another vulnerability tracked as CVE-2025-24472. The original vulnerability was announced as a 0-day vulnerability and has proof-of-concept exploit code available.

The same attack path reported in the former vulnerability was discovered in the Fortinet Cooperative Security Fabric (CSF). CSF is a proprietary protocol used by Fortinet devices to exchange data and coordinate responses to suspicious behavior.

NOTE: If you already applied the updates for CVE-2024-55591, then CVE-2025-24472 is also fixed.

Fortinet products and versions impacted by CVE-2025-24472 are:

  • FortiOS 7.0 through 7.0.16
  • FortiProxy 7.0.0 through 7.0.19
  • FortiProxy 7.2.0 through 7.2.12

This blog is a follow up on our initial blog published in January 2025 that detailed CVE-2024-55591.

What you should do

It is advised to upgrade as soon as possible to:

  • FortiOS 7.0.17 or newer
  • FortiProxy 7.2.13 / FortiProxy 7.0.20 or newer versions

We advise organizations to immediately disable public access to firewall management interfaces, by limiting the IP addresses that can reach the HTTP/HTTPS administration interface via a local policy to restrict access only to a predefined group on the management interface (e.g., port1).

It is also advised to hunt for suspicious new or updated accounts from mid-November, and check if your devices have any open ports for unknown reasons (particularly 4433, 59449, and 59450).

A IPS rule may have been provided by the vendor but needs to be manually configured.

The Orange Cyberdefense CERT tracks developments regarding this vulnerability and publishes World Watch advisories updates as new relevant information on this matter becomes available. World Watch subscribers can find more details on this topic here. More information on how to subscribe to this service can be found here.  

Orange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this threat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us to prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or contact your representative.

Orange Cyberdefense’s MTI [protect] service offers the ability to automatically feed network-related IoCs into your security solutions. To learn more about this service and to find out which firewall, proxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative.

Please feel free to contact Orange Cyberdefense CERT if you suspect any potential compromise or if you require remediation expertise regarding this matter. 

Additional Information

Please review our initial blog published in January 2025 that detailed CVE-2024-55591 as it describes the relevant information that is also applicable to CVE-2025-24472.

Beyond Vulnerability Management

The latest Security Navigator 2025 from Orange Cyberdefense underscores the growing risks associated with unpatched vulnerabilities, highlighting the need for organizations to adopt a proactive approach to vulnerability management. 

Orange Cyberdefense reviewed over 32,000 distinct CVEs in client’s environments, noting that patching delays create substantial risks for exploitation. VPNs and similar technologies are particularly at risk, as they often become prime targets for attackers due to their exposure and critical role in securing organizational networks. 

To address these risks, Orange Cyberdefense advocates for adopting a threat-informed approach, including: 

  • Prioritization Using Advanced Tools: Leveraging systems like the Exploit Prediction Scoring System (EPSS) to focus on vulnerabilities most likely to be exploited, including high-severity zero-days. 
  • Vendor Collaboration: Proactively engaging with vendors to expedite patch availability and implementation. 

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT