Attackers to Bypass FortiCloud-SSO Authentication;Patches Released for FortiOS, FortiProxy, FortiWeb
Fortinet Patches Released for FortiOS, FortiProxy, FortiWeb
Continue ReadingFortiProxy
Fortinet Released Security Update’s; Patched Multiple High & Medium Severity Vulnerabilities
Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.
The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.
One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.
| OEM | Fortinet |
| Severity | High |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-49201, CVE-2025-58325, CVE-2025-57740, CVE-2025-57741 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Weak Authentication Mechanism | CVE-2025-49201 | FortiPAM, FortiSwitch Manager | High | FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later |
| CLI Command Functionality Bypass | CVE-2025-58325 | FortiOS | High | FortiOS 7.6.1+, 7.4.6+, 7.2.11+, 7.0.16+ |
| Heap Overflow – Remote Code Execution (FortiProxy SSL VPN Bookmarks) | CVE-2025-57741 | FortiProxy | High | FortiProxy 7.2.5+, 7.0.5+ |
| Heap Overflow – Remote Code Execution (SSL VPN RDP Bookmark) | CVE-2025-57740 | FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager. | Medium | FortiOS 7.4.4+ / 7.2.8+ / 7.0.15+, FortiProxy 7.4.4+ / 7.2.10+, FortiPAM 1.3.0+, FortiSwitch Manager 7.2.4+ |
Technical Summary
Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.
Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.
Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-49201 | FortiPAM, FortiSwitch Manager | This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces. | Authentication Bypass / Remote Code Execution |
| CVE-2025-57740 | FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager | This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context. | Remote Code Execution / System Compromise |
| CVE-2025-58325 | FortiOS | A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters. | Privilege Escalation / Remote Code Execution |
| CVE-2025-57741 | FortiProxy | This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization. | Remote Code Execution / Service Compromise |
Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential.
| Vulnerability Name | CVE ID | Affected Component | Severity |
| FGFM protocol allows unauthenticated reset of the connection | CVE-2025-26008 | FortiOS, FortiProxy, FortiPAM, FortiSwitchManager. | Medium |
| Heap Overflow in fgfmsd | CVE-2025-50571 | FortiAnalyzer/Cloud, FortiManager/Cloud. | Medium |
| Heap buffer overflow in websocket | CVE-2025-22258 | FortiOS,FortiPAM, FortiProxy, FortiSRA | Medium |
| Improper autorization over static files | CVE-2025-54822 | FortiOS, FortiProxy | Medium |
| Insufficient Session Expiration in SSLVPN using SAML authentication | CVE-2025-25252 | FortiOS | Medium |
| Missing authentication check in OFTP service | CVE-2025-53845 | FortiAnalyzer | Medium |
| Race condion in FortiCloud SSO SAML authentication | CVE-2025-54973 | FortiAnalyzer | Medium |
| Stack-based buffer overflow on fortitoken import feature | CVE-2025-46718 | FortiOS, FortiProxy | Medium |
Recommendations
Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website
- FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version
- FortiSwitch Manager: Upgrade to version 7.2.5 or higher
- FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series
- FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version
- FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version
Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations :
- Enable multi-factor authentication (MFA) to reduce unauthorized access risk
- Restrict network access to management interfaces to trusted personnel only
- Monitor logs for unusual brute-force attempts or anomalous login activity
- Apply the principle of least privilege to limit access to VPN and management services
- Use firewalls with strict whitelisting to block external attack vectors to vulnerable services
Conclusion:
The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.
The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.
Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure.
References:
Hashtags
#Infosec #CyberSecurity #Fortinet #FortiPAM #SQL #RCE #SecurityAdvisory #Vulnerabilitymanagement # PatchManagement #CISO #CXO #Intrucept
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation
Summary
Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products.
A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2024-55591 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.
The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Authentication Bypass Vulnerability | CVE-2024-55591 | FortiOS and FortiProxy | Critical |
Technical Summary
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.
Impact by Region (Unpatched Devices)
- Asia: 20,687 devices
- North America: 12,866 devices
- Europe: 7,401 devices
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-55591 | FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12 | Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges. | Unauthorized administrative access, credential extraction, and lateral movement. |
Remediation:
- Upgrade Firmware:
- FortiOS: Update to version 7.0.17 or latest
- FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
- Restrict Administrative Interface Access:
- Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
- Enable Multi-Factor Authentication (MFA):
- Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
- Monitor Suspicious Activities:
- Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.
Conclusion:
The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.
References:
- https://www.fortiguard.com/psirt
- https://cybersecuritynews.com/50000-fortinet-firewalls-remain-vulnerable-to-critical-zero-day-exploit/
- https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-19&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&geo=all&data_set=count&scale=log
Hashtags