CVE-2025-22251

Summary

An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS7.6.0affected
FortinetFortiOS7.4.0 <= 7.4.5affected
FortinetFortiOS7.2.0 <= 7.2.11affected
FortinetFortiOS7.0.0 <= 7.0.17affected
FortinetFortiOS6.4.0 <= 6.4.16affected

Weaknesses

  • CWE-923: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References