How ZeroPath Works
Back to Blog

Fortinet FortiOS & FortiProxy Authentication Bypass (CVE-2024-52965): Invalid Certificates, Real Threats

CVE-2024-52965 exposes Fortinet FortiOS and FortiProxy to authentication bypass via invalid PKI certificates, impacting multiple versions and enabling unauthorized API access.
CVE Analysis

5 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-08

Fortinet FortiOS & FortiProxy Authentication Bypass (CVE-2024-52965): Invalid Certificates, Real Threats

Fortinet FortiOS & FortiProxy Authentication Bypass (CVE-2024-52965): Invalid Certificates, Real Threats

Introduction

Fortinet's widely deployed FortiOS and FortiProxy solutions are under threat from a critical authentication bypass vulnerability (CVE-2024-52965). This flaw allows attackers to bypass authentication using invalid PKI certificates, posing significant risks to enterprise security by enabling unauthorized API access and potentially persistent network compromise.

Technical Information

The core issue (CVE-2024-52965) stems from a missing critical authentication step (CWE-304) in Fortinet's FortiOS and FortiProxy products. Specifically, when API users authenticate with a combination of an API key and a PKI user certificate, the system neglects proper validation of the certificate's cryptographic integrity and revocation status. Attackers exploit this oversight by pairing valid API keys with intentionally invalid certificates—such as expired, self-signed, or revoked certificates—to bypass authentication entirely.

Attack Vectors and Exploitation Methods

  • Unauthorized API Access: Attackers craft malicious API requests, leveraging valid API keys alongside invalid certificates to bypass authentication.
  • Persistent Backdoors: Exploited accounts may create hidden administrative users, facilitating long-term unauthorized access.
  • Credential Harvesting and Data Exfiltration: Attackers can extract sensitive SSL-VPN configurations and hashed credentials, storing them in archives like /tmp/.tm for exfiltration.

Affected Systems and Versions

  • FortiOS: Versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and versions prior to 7.0.16.
  • FortiProxy: Versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13, and versions prior to 7.0.20.

Vendor Security History

Fortinet has experienced several critical vulnerabilities in recent years, particularly within FortiOS and FortiProxy. Authentication bypass flaws and Node.js-related vulnerabilities have been recurring issues, suggesting potential gaps in Fortinet's security review and patch management processes.

References

Security teams should urgently prioritize patching and mitigation measures to protect against active exploitation of CVE-2024-52965.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo