Fortinet has recently addressed a critical vulnerability affecting multiple products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb. The vulnerability, identified as NCSC-2025-0082, involves the improper handling of HTTP and HTTPS requests, which could allow an attacker with specific privileges to execute unauthorized code. This issue has been actively exploited in ransomware attacks, making it a high-priority patch for organizations relying on Fortinet’s security solutions[1][2].
TL;DR: Key Takeaways
- Vulnerability ID: NCSC-2025-0082
- Affected Products: FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiWeb
- Risk Level: Medium/High (M/H)
- Impact: Unauthorized code execution via crafted HTTP/HTTPS requests
- Exploitation: Public exploits available since January 2025; used in ransomware campaigns
- CVE References: CVE-2024-55591, CVE-2025-24472
- Remediation: Apply the latest patches immediately
Technical Details of the Vulnerability
The vulnerability stems from how Fortinet products process HTTP and HTTPS requests. Attackers with specific privileges can craft malicious requests to exploit this flaw, leading to remote code execution (RCE). This allows them to gain super_admin privileges and establish persistent access to compromised systems. The issue is particularly concerning because it affects multiple products across Fortinet’s portfolio, including:
- FortiOS: The operating system for Fortinet’s firewall appliances.
- FortiProxy: A secure web gateway solution.
- FortiPAM: A privileged access management tool.
- FortiSRA: A secure remote access solution.
- FortiWeb: A web application firewall.
The exploitation of this vulnerability has been observed in ransomware attacks, where attackers use it to gain initial access and escalate privileges. Once inside, they can deploy ransomware payloads, exfiltrate data, or maintain long-term persistence[3][4].
Exploitation in the Wild
According to the Nationaal Cyber Security Centrum (NCSC), this vulnerability has been actively exploited since January 2025. Attackers have used it to bypass authentication mechanisms and gain super_admin privileges, allowing them to:
- Create backdoor accounts for persistent access.
- Update software on compromised devices to prevent detection.
- Encrypt critical files and demand ransom payments.
The NCSC has also noted that a public exploit for this vulnerability has been available since January 2025, increasing the risk of widespread exploitation[5].
Affected Versions and Patches
Fortinet has released patches for the following versions:
| Product | Affected Versions | Patched Versions |
|---|---|---|
| FortiOS | < 7.0.16 | 7.0.16 |
| FortiProxy | < 7.0.16 | 7.0.16 |
| FortiPAM | < 7.0.16 | 7.0.16 |
| FortiSRA | < 7.0.16 | 7.0.16 |
| FortiWeb | < 7.0.16 | 7.0.16 |
Organizations are urged to update their systems to the latest versions immediately. For those unable to patch immediately, the NCSC recommends implementing the following mitigations:
- Restrict access to management interfaces.
- Monitor for unusual activity, such as the creation of new accounts or unexpected software updates.
- Use network segmentation to limit the spread of potential attacks[6].
Relevance to Security Professionals
This vulnerability is particularly relevant to Red Teams, Blue Teams, and SOC Analysts:
- Red Teams: Can simulate attacks using this vulnerability to test organizational defenses.
- Blue Teams: Should prioritize patching and monitor for indicators of compromise (IOCs).
- SOC Analysts: Need to be vigilant for signs of exploitation, such as unusual HTTP/HTTPS traffic or privilege escalation attempts.
For Threat Intel Researchers, this vulnerability highlights the importance of tracking public exploits and understanding how they are used in real-world attacks. The availability of a public exploit since January 2025 underscores the need for rapid response to emerging threats[7].
Conclusion
The NCSC-2025-0082 vulnerability in Fortinet products is a critical issue that demands immediate attention. With public exploits available and active exploitation in ransomware campaigns, organizations must act swiftly to protect their systems. By applying patches, implementing mitigations, and monitoring for signs of compromise, security teams can reduce the risk of falling victim to these attacks.
