SecuriTricks - CVE-2025-22862

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2 all versions, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component.

Product(s) Impacted

Vendor	Product	Versions
Fortinet	Fortios Fortiproxy	7.4.0-7.4.7, 7.2, 7.0.6 7.6.0-7.6.2, 7.4.0-7.4.8, 7.2, 7.0.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-288

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fortinet	fortios	7.4.0-7.4.7	/	/	/	/	/	/	/
a	fortinet	fortios	7.2	/	/	/	/	/	/	/
a	fortinet	fortios	7.0.6	/	/	/	/	/	/	/
a	fortinet	fortiproxy	7.6.0-7.6.2	/	/	/	/	/	/	/
a	fortinet	fortiproxy	7.4.0-7.4.8	/	/	/	/	/	/	/
a	fortinet	fortiproxy	7.2	/	/	/	/	/	/	/
a	fortinet	fortiproxy	7.0.5	/	/	/	/	/	/	/

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-385

CVSS Score

6.7 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: Oct. 2, 2025, 1:15 p.m.
Last Modified: Oct. 2, 2025, 7:11 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@fortinet.com

CVE-2025-22862