CVE-2025-24471: 
FortiOS vulnerability analysis and mitigation

An Improper Certificate Validation vulnerability (CVE-2025-24471) was discovered in FortiOS affecting versions 7.6.1 and below, and version 7.4.7 and below. The vulnerability was publicly disclosed on June 10, 2025, and was discovered by Rhys H & Adam L from CGI UK. This security flaw specifically impacts the EAP certificate authentication mechanism in FortiOS (Fortinet Advisory, NVD).

The vulnerability is classified as CWE-295 (Improper Certificate Validation) and has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The technical nature of the vulnerability involves improper validation of revoked certificates during EAP authentication processes (Wiz, NVD).

The vulnerability allows an EAP verified remote user to connect from FortiClient using a revoked certificate, potentially compromising the authentication security of affected systems. The CVSS scoring indicates high integrity impact while confidentiality and availability remain unaffected (Fortinet Advisory, Wiz).

Fortinet has released patches to address this vulnerability. Users of FortiOS 7.6.x should upgrade to version 7.6.2 or above, while users of FortiOS 7.4.x should upgrade to version 7.4.8 or above. For FortiSASE 25.1.a.2 users, Fortinet has remediated this issue in version 25.1.b with no additional action required from customers (Fortinet Advisory).