CVE-2025-24472 is a critical authentication bypass vulnerability affecting Fortinet FortiProxy and FortiOS products, specifically versions 7.0.0 through 7.0.16 for FortiOS and 7.2.0 through 7.2.12 and 7.0.0 through 7.0.19 for FortiProxy. The vulnerability arises from an alternate path or channel that allows an unauthenticated remote attacker to bypass authentication controls if they possess prior knowledge of the serial numbers of both upstream and downstream devices within a Security Fabric deployment. By crafting specific CSF (Central Security Fabric) proxy requests, the attacker can escalate privileges to super-admin on the downstream device. This effectively grants full control over the device, enabling execution of unauthorized code or commands, which can compromise confidentiality, integrity, and availability of the affected systems. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with attack vector being network-based, requiring no privileges or user interaction, but with high attack complexity due to the need for serial number knowledge. The scope is unchanged, but the impact on confidentiality, integrity, and availability is high. No known exploits are currently reported in the wild, but the potential for exploitation is significant given the critical access gained. The vulnerability affects devices configured with Security Fabric enabled, which is commonly used in enterprise environments to integrate and manage multiple Fortinet devices. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring.

For European organizations, the impact of CVE-2025-24472 can be severe, especially for enterprises and service providers relying on Fortinet FortiProxy and FortiOS devices for network security and traffic management. Successful exploitation could lead to full compromise of downstream devices, enabling attackers to execute arbitrary commands, manipulate traffic, exfiltrate sensitive data, or disrupt network operations. This could affect critical infrastructure, financial institutions, healthcare providers, and government agencies that depend on Fortinet's Security Fabric for integrated security management. The breach of confidentiality and integrity could result in data leaks, regulatory non-compliance (e.g., GDPR violations), and operational downtime. Additionally, the ability to execute unauthorized code remotely without authentication increases the risk of widespread lateral movement within networks. Given the high adoption of Fortinet products in Europe, the threat could have cascading effects on supply chains and critical services.

Organizations should immediately audit their Fortinet FortiProxy and FortiOS deployments to identify affected versions and confirm whether Security Fabric is enabled. Until official patches are released, it is critical to implement network-level controls to restrict access to management interfaces and CSF proxy endpoints, limiting them to trusted internal networks and known IP addresses. Monitoring and logging of CSF proxy requests should be enhanced to detect anomalous or crafted requests indicative of exploitation attempts. Fortinet administrators should rotate and protect device serial numbers and related information to reduce the risk of attackers obtaining the required knowledge. Employing network segmentation to isolate downstream devices can limit the impact of a successful attack. Additionally, organizations should stay informed about Fortinet’s security advisories for patch releases and apply updates promptly once available. Incident response plans should be updated to include detection and remediation steps for this vulnerability. Where feasible, consider temporarily disabling Security Fabric features that expose CSF proxy interfaces until patches are applied.