Embed Notice

subtoot about Fortinet zero-day. Those infosec publications are running WILD calling it an exploited zero-day (complete with a backstory) with absolutely no evidence. Are we reading the same security advisory? What the fuck are you guys conjuring up and extrapolating from 2025-02-11: Added CVE-2025-24472 and its acknowledgement?

EDIT: You've heard of "patch-diffing." Get ready for advisory-diffing:
https://web.archive.org/web/20250114161659/https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (14 January 2025)
versus https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (11 February 2025):

• An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.
• Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool https://docs.fortinet.com/upgrade-tool
• Please note that the above IP parameters are under attacker control and therefore can be any other IP address. not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.
• edit 2set intf "allany"
• Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.
• CSF requests issue:Disable Security Fabric from the CLI:Config system csfSet status disableend

Some of these are explained in the changelog, but I wanted to be certain.