While cybersecurity vendors promise robust protection, Fortinet’s recent string of critical vulnerabilities has left thousands of organizations exposed to devastating attacks. The security giant is scrambling to patch two particularly nasty flaws – CVE-2024-55591 and CVE-2025-24472 – with terrifying CVSS scores between 9.3 and 9.8. Not exactly the “security” customers paid for.
These vulnerabilities affect FortiOS versions prior to 7.0.16, fundamentally handing attackers super_admin privileges through crafted CSF proxy requests. No password needed. How convenient. Arctic Wolf spotted exploitation as early as December 2024, while Fortinet dragged its feet until January confirming the attacks. Meanwhile, hackers had a field day.
Attackers gaining super_admin access with zero authentication—because nothing says “secure” like handing hackers the keys to your kingdom.
An estimated 150,000 FortiOS and FortiProxy systems remain vulnerable, with 14,000 exposed instances in the United States alone. Organizations across multiple sectors are feeling the pain. The attackers aren’t amateurs, either. They’re using sophisticated techniques – bypassing authentication via Node.js websocket modules, creating rogue accounts, and tunneling through VPNs to move laterally across compromised networks. Proper risk assessment frameworks could have potentially identified these vulnerabilities before they were exploited at such scale.
Once inside, attackers modify firewall policies, access clear text credentials, and tamper with registry values. Similar to the October 2022 incidents, hackers are specifically targeting vulnerable Fortinet VPNs managed by third-party providers. The ultimate prize? Deploying ransomware and exfiltrating sensitive data. All because Fortinet couldn’t secure its own security products. Ironic.
Fortinet eventually released patches, urging customers to upgrade to FortiOS 7.0.17+ or FortiProxy 7.2.13+. Too little, too late for many. Two of the disclosed vulnerabilities even scored a critical 9.3 rating on the CVSS scale, allowing attackers to execute arbitrary commands. Other mitigations include disabling HTTP/HTTPS administrative access and restricting management interfaces to trusted IPs. But really, the damage is done.
The compromised firewalls serve as perfect entry points to internal networks, giving attackers a foothold from which to launch additional attacks. Organizations are now scrambling to detect unauthorized logins and suspicious policy changes. Meanwhile, Fortinet executives are probably drafting their “we take security seriously” press release. Sure you do.
