Home

Description

A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.

PUBLISHED Reserved 2025-01-02 | Published 2025-05-28 | Updated 2026-02-26 | Assigner fortinet




CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C

Problem types

Escalation of privilege

Product status

Default status
unaffected

7.6.0 (semver)
affected

Default status
unaffected

7.2.5
affected

Default status
unaffected

7.6.0
affected

7.4.4 (semver)
affected

References

fortiguard.fortinet.com/psirt/FG-IR-24-472

cve.org (CVE-2025-22252)

nvd.nist.gov (CVE-2025-22252)

Download JSON