Firewall

Authentication Bypass Vulnerability in FortiOS & FortiProxy

Summary

A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.

OEM	Fortinet
Severity	Critical
CVSS	9.6
CVEs	CVE-2025-24472
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Authentication Bypass Vulnerability	CVE-2025-24472	FortiOS FortiProxy	Critical	FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12

Technical Summary

CVE ID	Vulnerability Details	Impact
CVE-2025-24472	An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests.	Execute unauthorized code or commands

Recommendations:

Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below

Version	Fixes and Releases
FortiOS 7.0 – 7.0.16	Upgrade to 7.0.17 or latest version
FortiProxy 7.0 – 7.0.19	Upgrade to 7.0.20 or latest version
FortiProxy 7.2 – 7.2.12	Upgrade to 7.2.13 or latest version

Workarounds:

Below are some workarounds provided by the Fortinet team.

Disable HTTP/HTTPS administrative interface

Limit IP addresses that can reach the administrative interface via local-in policies

According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”

References:

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://www.cve.org/CVERecord?id=CVE-2025-24472

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities

SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

Key Details:

The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.

Summary

OEM	SonicWall
Severity	High
CVSS	8.2
CVEs	CVE-2024-53704
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Improper Authentication	CVE-2024-53704	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019 8.0.0-8035
A privilege escalation vulnerability	CVE-2024-53706	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019
A weakness in the SSLVPN authentication token generator	CVE-2024-40762	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019
A server-side request forgery (SSRF) vulnerability	CVE-2024-53705	SonicWall	Medium	6.5.4.15-117n and older 7.0.x (7.0.1-5161 and older)

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-53704	Gen7 Firewalls, Gen7 NSv, TZ80	An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.	Bypass authentication
CVE-2024-53706	Gen7 Cloud Platform NSv	A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.	Allow attackers to gain root privileges and potentially execute code.
CVE-2024-40762	Gen7 Firewalls, Gen7 NSv, TZ80	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.	Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN.
CVE-2024-53705	Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv	A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.	Allow attackers to establish TCP connections to arbitrary IP addresses and ports

Remediation:

Update: Impacted users are recommended to upgrade to the following versions to address the security risk:

Firewalls Versions	Fixes and Releases
Gen 6 / 6.5 hardware firewalls	SonicOS 6.5.5.1-6n or newer
Gen 6 / 6.5 NSv firewalls	SonicOS 6.5.4.v-21s-RC2457 or newer
Gen 7 firewalls	SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher
TZ80: SonicOS	SonicOS 8.0.0-8037 or newer

Recommendations:

Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory.

Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access.

Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts.

Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities.

References:

https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-exploitable-sslvpn-bug-immediately/

https://www.criticalpathsecurity.com/critical-security-alert-sonicwall-urges-immediate-patching-of-ssl-vpn-vulnerability/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS

Summary

OEM	Palo Alto
Severity	High
CVSS	8.7
CVEs	CVE-2024-3393
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
(DoS) in DNS Security Using a Specially Crafted Packet	CVE-2024-3393	Palo Alto	High	PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8, <10.2.14 PAN-OS 10.1 – >= 10.1.14, <10.1.15

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-3393	Palo Alto PAN-OS	CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025.	Dos – Denial-of-Service

Remediation:

Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below

PAN-OS Version	Fixes and Releases
PAN-OS 11.1	11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5
PAN-OS 10.2	10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14
PAN-OS 10.1	10.1.14-h8, 10.1.15
PAN-OS 10.2.9-h19	Only applicable to Prisma Access
PAN-OS 10.2.10-h12	Only applicable to Prisma Access
PAN-OS 11.0	No fix (reached end-of-life status on November 17, 2024)

Recommendations:

Avoid Using EOL Versions:

PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.

Monitoring & Incident Response:

Regularly monitor firewall logs for unusual behavior, especially DoS triggers.

For Prisma Access Users (Workaround):

Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.

References:

https://security.paloaltonetworks.com/CVE-2024-3393#:~:text=Description,firewall%20that%20reboots%20the%20firewall.

https://www.secpod.com/blog/palo-alto-pan-os-severe-vulnerability-cve-2024-3393-exploited/

https://nvd.nist.gov/vuln/detail/CVE-2024-3393

Authentication Bypass Vulnerability in FortiOS & FortiProxy

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities

Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives