CVE Vulnerabilities

CVE-2025-22254

Improper Privilege Management

Published: Jun 10, 2025 | Modified: Jul 22, 2025
CVSS 3.x
7.2
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Fortios Fortinet 6.4.0 (including) 6.4.16 (excluding)
Fortios Fortinet 7.0.0 (including) 7.0.17 (excluding)
Fortios Fortinet 7.2.0 (including) 7.2.11 (excluding)
Fortios Fortinet 7.4.0 (including) 7.4.7 (excluding)
Fortios Fortinet 7.6.0 (including) 7.6.2 (excluding)

Potential Mitigations

References