Skip to main content

Fortiproxy CVE-2025-24472

HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2025-02-11 psirt@fortinet.com
8.1
CVSS 3.1 · Vendor: fortinet
Share

Severity by source

Vendor (fortinet) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (fortinet) · only source for this CVE.

CVSS VectorVendor: fortinet

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:26 vuln.today
Added to CISA KEV
Oct 24, 2025 - 12:53 cisa
CISA KEV
CVE Published
Feb 11, 2025 - 17:15 nvd
HIGH 8.1

DescriptionCVE.org

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy requests.

AnalysisAI

FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/downstream device serial numbers to gain super-admin privileges on downstream devices.

Technical ContextAI

The CWE-288 authentication bypass through an alternate channel exploits the trust relationship between FortiGate devices. Knowing the serial numbers (which may be exposed through SNMP, web interface, or network scanning) allows an attacker to craft requests that the downstream device trusts as coming from the upstream management device.

RemediationAI

Upgrade FortiOS/FortiProxy. Restrict SNMP access. Disable serial number display on login pages. Audit firewall configurations for unauthorized modifications.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2024-48884 CRITICAL
9.1 Jan 14

Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver

CVE-2022-40684 CRITICAL POC
9.8 Oct 18

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an

CVE-2024-21762 CRITICAL POC
9.8 Feb 09

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0

CVE-2023-25610 CRITICAL
9.8 Mar 24

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0

CVE-2023-42789 CRITICAL
9.8 Mar 12

A out-of-bounds write vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2024-23113 CRITICAL
9.8 Feb 15

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.

CVE-2023-33308 CRITICAL
9.8 Jul 26

A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3

CVE-2023-27997 CRITICAL
9.8 Jun 13

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, versi

CVE-2022-35843 CRITICAL
9.8 Dec 06

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0

CVE-2023-44250 HIGH
8.8 Jan 10

An improper privilege management vulnerability [CWE-269] in a Fortinet FortiOS HA cluster version 7.4.0 through 7.4.1 an

Share

CVE-2025-24472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy