Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. High-Severity Vulnerability in Fortinet Products
Alerts

High-Severity Vulnerability in Fortinet Products

12 February 2025

Fortinet has released security updates addressing a critical authentication bypass vulnerability affecting their FortiOS and FortiProxy products.

Fortinet has released security updates addressing a high-severity vulnerability (CVE-2025-24472) affecting their FortiOS and FortiProxy products. This vulnerability is reportedly being exploited in the wild.

Successful exploitation of the authentication bypass vulnerability could allow remote attackers to gain super-admin privileges via maliciously crafted requests to the Node.js websocket module or via maliciously crafted CSF proxy requests.

The vulnerability affects the following products:

  • FortiOS versions 7.0.0 through 7.0.16

  • FortiProxy versions 7.0.0 through 7.0.19  

  • FortiProxy versions 7.2.0 through 7.2.12

Users and administrators of affected product versions are advised to update to the latest versions immediately.

Indicators of Compromise (IOCs)

Fortinet has provided the following log entries and IP addresses as potential IOCs. Administrators are recommended to monitor system logs for IOCs, such as unauthorised administrative accounts, unrecognised configuration changes, or suspicious SSL VPN connections. 

Log Entries:

  • type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

  • type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

IP addresses associated with malicious activities:

  • 45.55.158[.]47 (most common)

  • 87.249.138[.]47

  • 155.133.4[.]175

  • 37.19.196[.]65

  • 149.22.94[.]37

Workaround

If immediate updating is not feasible, users are recommended to implement the following mitigations:

  1. Disable HTTP/HTTPS administrative interface to reduce exposure.

  1. Restrict access via local-in policies by limiting administrative access to trusted IPs.

More information is available here:

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://nvd.nist.gov/vuln/detail/CVE-2025-24472

https://www.bleepingcomputer.com/news/security/fortinet-discloses-second-firewall-auth-bypass-patched-in-january/