CVE-2025-22862

Summary

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiProxy7.6.0 <= 7.6.2affected
FortinetFortiProxy7.4.0 <= 7.4.8affected
FortinetFortiProxy7.2.0 <= 7.2.15affected
FortinetFortiProxy7.0.5 <= 7.0.22affected
FortinetFortiOS7.4.0 <= 7.4.7affected
FortinetFortiOS7.2.0 <= 7.2.11affected
FortinetFortiOS7.0.6 <= 7.0.18affected

Weaknesses

  • CWE-288: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

Additional References

References