Fortinet Zero-Day Exploited to Hijack Firewall & Gain Super Admin

Home/Exploitation, Internet Security, Security Advisory, Security Update, vulnerability, Zero Day Attack/Fortinet Zero-Day Exploited to Hijack Firewall & Gain Super Admin

Fortinet Zero-Day Exploited to Hijack Firewall & Gain Super Admin

Fortinet has issued an urgent warning about a critical zero-day vulnerability (CVE-2025-24472) in FortiOS and FortiProxy. The flaw allows remote attackers to bypass authentication and gain super-admin privileges by exploiting maliciously crafted CSF proxy requests.

It affects FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12. The vulnerability has been actively exploited in the wild, enabling attackers to hijack Fortinet firewalls and compromise enterprise networks.

Fortinet 0-Day Vulnerability 

Fortinet reports that attackers are using the vulnerability to create rogue admin or local user accounts on compromised devices. These accounts allow them to modify firewall policies and access SSL VPN user groups, enabling unauthorized network tunneling.

The flaw, an authentication bypass (CWE-288) in FortiOS and FortiProxy, lets remote attackers gain super-admin privileges via crafted requests to the Node.js websocket module or CSF proxy.

This comes after a previous advisory on another zero-day (CVE-2024-55591), which also allowed super-admin access through targeted malicious requests.

Arctic Wolf has identified IOCs linked to these vulnerabilities, confirming attacks on internet-exposed Fortinet management interfaces since mid-November 2024.

Their analysis shows a structured attack campaign:

  • Vulnerability Scanning (Nov 16-23)
  • Reconnaissance (Nov 22-27)
  • SSL VPN Configuration (Dec 4-7)
  • Lateral Movement (Dec 16-27)

They observed unauthorized admin logins, new account creations, and configuration changes across multiple victims. The attackers used these accounts for SSL VPN authentication and further network access.

Mitigation & Security Recommendations

Fortinet has released critical patches and urges administrators to update immediately:

  • Upgrade FortiOS to version 7.0.17 or higher
  • Upgrade FortiProxy to version 7.2.13 or higher (7.0.20 for earlier branches)

For those unable to patch immediately, Fortinet recommends:

  • Disabling HTTP/HTTPS administrative interfaces
  • Restricting access to trusted IPs using local-in policies

Fortinet warns that while the exact attack vector isn’t confirmed, a zero-day exploit is likely. Organizations should disable public firewall management access immediately.

Security teams should apply patches, monitor for anomalies, and review logs for unauthorized access.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 207
By | 2025-02-12T04:01:36+05:30 February 11th, 2025|Exploitation, Internet Security, Security Advisory, Security Update, vulnerability, Zero Day Attack|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!