Fortinet has found a new security flaw (CVE-2025-24472) in its systems. They stress that this flaw was fixed back in January and is not a zero-day).
At first it looked like attackers were actively exploiting both vulnerabilities, but Fortinet now confirms that only CVE-2024-55591 was actually used in attacks. Earlier this year, data from 15,000 FortiGate firewalls ended up on the dark web.
What did vulnerability entail?
The problem with CVE-2025-24472 was that hackers could exploit it to gain full administrator privileges without a password through a weakness in the CSF proxy. This allowed them to access affected systems and modify settings. The vulnerability occurs in FortiOS 7.0.0 to 7.0.16 and FortiProxy 7.0.0 to 7.0.19. Fortinet has fixed the problem in later versions.
Hackers used this vulnerability to give themselves administrator privileges, modify firewall rules and take over systems. According to cybersecurity firm Arctic Wolf, attackers have been exploiting CVE-2024-55591 since November 2024. This occurred in four phases:
- Scanning systems (Nov. 16-23, 2024): Hackers look for vulnerable devices.
- Gaining Access (Nov. 22-27, 2024): They try to get in through known weaknesses.
- Changing settings (Dec. 4-7, 2024): They change VPN settings to maintain their access.
- Deeper break-in (Dec. 16-27, 2024): They spread further within the network.
Fortinet advises administrators to update their systems as soon as possible. If they cannot, they are advised to disable the management interface or allow only certain IP addresses access. They are also advised to monitor network traffic and establish strict access controls.
Companies using Fortinet products should check their logs for suspicious activity and carefully review firewall rules. Additional security, such as multi-factor authentication (MFA), is recommended to prevent unwanted access in the future.