Authentication Bypass Vulnerability in Fortinet FortiProxy and FortiOS
CVE-2025-22252

9CRITICAL

Key Information:

Vendor: Fortinet
Status: Fortiproxy; Fortiswitchmanager; FortiOS
Vendor: CVE Published:; 28 May 2025

What is CVE-2025-22252?

The vulnerability allows an attacker to exploit a missing authentication for a critical function in specified versions of Fortinet FortiProxy, FortiSwitchManager, and FortiOS. By leveraging an existing admin account, the attacker can bypass authentication measures, potentially gaining unauthorized administrative access to the affected devices. This poses a significant risk to the overall security and integrity of network systems relying on these Fortinet products.

Affected Version(s)

FortiOS 7.6.0

FortiOS 7.4.4 <= 7.4.6

FortiProxy 7.6.0 <= 7.6.1

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-472

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2025
Vulnerability Reserved
Jan 2, 2025