CVE-2025-25255

Summary

An Improperly Implemented Security Check for Standard vulnerability [CWE-358] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0.1 through 7.0.22 may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS7.6.0 <= 7.6.3affected
FortinetFortiProxy7.6.0 <= 7.6.3affected
FortinetFortiProxy7.4.0 <= 7.4.11affected
FortinetFortiProxy7.2.0 <= 7.2.15affected
FortinetFortiProxy7.0.1 <= 7.0.22affected

Weaknesses

  • CWE-358: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References