CVE-2025-24471: 
FortiOS vulnerability analysis and mitigation

CVE-2025-24471 is an Improper Certificate Validation vulnerability affecting FortiOS versions 7.6.1 and below, and version 7.4.7 and below. The vulnerability was discovered by Rhys H & Adam L from CGI UK and was publicly disclosed on June 10, 2025. This security flaw specifically impacts the EAP certificate authentication mechanism in FortiOS (Fortinet Advisory).

The vulnerability is classified as CWE-295 (Improper Certificate Validation) and has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The technical nature of the vulnerability involves improper validation of revoked certificates during EAP authentication processes (NVD).

The vulnerability allows an EAP verified remote user to connect from FortiClient using a revoked certificate, potentially compromising the authentication security of affected systems. The CVSS scoring indicates high integrity impact while confidentiality and availability remain unaffected (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiOS 7.6.x should upgrade to version 7.6.2 or above, while users of FortiOS 7.4.x should upgrade to version 7.4.8 or above. For FortiSASE 25.1.a.2 users, Fortinet has remediated this issue in version 25.1.b with no additional action required from customers (Fortinet Advisory).