SecuriTricks - CVE-2025-22251

Description

An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.

Product(s) Impacted

Vendor	Product	Versions
Fortinet	Fortios	7.6.0, 7.4.0-7.4.5, 7.2, 7.0, 6.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-923

Improper Restriction of Communication Channel to Intended Endpoints

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fortinet	fortios	7.6.0	/	/	/	/	/	/	/
a	fortinet	fortios	7.4.0-7.4.5	/	/	/	/	/	/	/
a	fortinet	fortios	7.2	/	/	/	/	/	/	/
a	fortinet	fortios	7.0	/	/	/	/	/	/	/
a	fortinet	fortios	6.4	/	/	/	/	/	/	/

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-287

CVSS Score

3.1 / 10

CVSS Data - 3.1

Attack Vector: ADJACENT_NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

View Vector String

Timeline

Published: June 10, 2025, 5:21 p.m.
Last Modified: June 10, 2025, 5:21 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@fortinet.com

CVE-2025-22251