Critical Fortinet FortiOS and FortiProxy Flaws Enable Remote Compromise
Fortinet disclosed multiple critical vulnerabilities in FortiOS and related products, including an authentication bypass in FortiOS and FortiProxy that can grant attackers super-admin privileges and is being actively exploited in the wild. The flaw can be triggered through specially crafted requests to the Node.js websocket module and affects FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19. Organizations were told to upgrade to FortiOS 7.0.17+, FortiProxy 7.2.13+, or FortiProxy 7.0.20+, and to apply Fortinet’s recommended mitigations immediately.
Separate Fortinet advisories also warned of critical flaws CVE-2024-21762 and CVE-2024-23113, affecting FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. CVE-2024-21762 carries a CVSS 9.6 rating, while CVE-2024-23113 is rated CVSS 9.8; both require urgent patching to fixed versions identified by Fortinet. Fortinet and national cyber authorities said defenders should prioritize upgrades across exposed appliances, and for CVE-2024-21762, disabling the SSL VPN feature can reduce exposure until patches are applied.
Timeline
Jan 15, 2025
Fortinet discloses actively exploited FortiOS and FortiProxy auth bypass flaw
Fortinet disclosed a critical authentication bypass vulnerability in FortiOS and FortiProxy that can grant an attacker super-admin privileges via specially crafted requests to the Node.js websocket module. Fortinet said the flaw was being actively exploited in the wild and advised customers to upgrade to fixed versions or apply recommended mitigations.
Feb 9, 2024
Fortinet discloses critical FortiOS and related product vulnerabilities
Fortinet disclosed multiple critical vulnerabilities affecting FortiOS and other products, notably CVE-2024-21762 and CVE-2024-23113, and identified affected and fixed versions. The guidance included urgent patching and a mitigation note that disabling SSL VPN could help reduce exposure to CVE-2024-21762.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Exploited Critical Fortinet Flaws Expose FortiWeb and FortiManager to Takeover
Fortinet disclosed two critical vulnerabilities affecting **FortiWeb** and **FortiManager**, both of which have been exploited in the wild and can lead to full device compromise. In FortiWeb, multiple versions are affected by an unauthenticated SQL injection flaw that lets attackers send crafted HTTP or HTTPS requests to execute unauthorized SQL commands, bypass access controls, read sensitive configuration and user data, alter or delete database records, and potentially escalate to complete system takeover. Fortinet advised customers to upgrade immediately to fixed releases or disable the HTTP/HTTPS management interface as a temporary workaround. In FortiManager, the critical flaw tracked as `CVE-2024-47575` allows unauthenticated remote code execution and remote command execution, with exploitation observed globally and against Finnish organizations. A successful attack can give intruders control of vulnerable FortiManager systems and expose connected device configuration data and passwords. Fortinet issued patches for most affected branches, while **FortiManager Cloud 6.4** has no fix and must be upgraded; the company also warned that if exploitation is suspected, patching alone is insufficient and organizations should perform a full incident investigation using Fortinet’s compromise-assessment guidance.
1 weeks ago
Critical Authentication Bypass Vulnerabilities in Fortinet Products via FortiCloud SSO
Fortinet has disclosed and patched two critical authentication bypass vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws, rated with a CVSS score of 9.1, stem from improper verification of cryptographic signatures in the FortiCloud SSO login process. An unauthenticated attacker could exploit these vulnerabilities by sending a crafted SAML message, potentially gaining unauthorized administrative access if FortiCloud SSO is enabled. By default, FortiCloud SSO is disabled, but it is automatically enabled during FortiCare registration unless the administrator explicitly disables the relevant toggle. Fortinet has released fixed versions for all affected products and strongly recommends that organizations upgrade immediately. As a temporary mitigation, disabling the FortiCloud SSO login feature is advised until the upgrade can be completed. There is currently no evidence of exploitation in the wild, and no public proof-of-concept code is available, but the history of threat actors targeting Fortinet products underscores the urgency of patching. The vulnerabilities impact a range of versions across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with unaffected versions and upgrade paths detailed in the advisories.
1 months ago
Fortinet Patches Multiple Vulnerabilities Across FortiClient and Other Products
Fortinet released security updates addressing **22 vulnerabilities** across multiple products, including **FortiWeb**, **FortiSwitchAX**, **FortiManager**, and **FortiClient (Linux)**. The issues span multiple bug classes (e.g., **authentication bypass**, **heap-based buffer overflow**, and **cleartext storage of sensitive information**) and could enable outcomes such as security bypass, data tampering, denial-of-service, privilege escalation, information disclosure, and in some cases **unauthorized code/command execution**. Belgium’s CCB urged organizations to patch promptly and noted Fortinet reported **no evidence of active exploitation** at the time of the advisory. One of the patched flaws, **CVE-2026-24018** (CVSS **7.8**), was detailed by the **Zero Day Initiative (ZDI-26-186)** as a **local privilege escalation** vulnerability in *FortiClient*. ZDI reported the flaw stems from handling of certain shared objects: a local attacker with the ability to run low-privileged code can create a **symbolic link** to coerce a service into loading an arbitrary shared object, enabling execution of attacker-controlled code as **root**. Fortinet issued a fix and published vendor guidance under **FG-IR-26-083**.
1 months ago