Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-22254

An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

Published

2025-06-10T17:21:08.420

Last Modified

2025-07-22T21:25:11.937

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.6 (MEDIUM)

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	fortinet	fortios	< 6.4.16	Yes
Operating System	fortinet	fortios	< 7.0.17	Yes
Operating System	fortinet	fortios	< 7.2.11	Yes
Operating System	fortinet	fortios	< 7.4.7	Yes
Operating System	fortinet	fortios	< 7.6.2	Yes
Application	fortinet	fortiproxy	< 7.4.8	Yes
Application	fortinet	fortiproxy	< 7.6.2	Yes
Application	fortinet	fortiweb	< 7.4.7	Yes
Application	fortinet	fortiweb	< 7.6.2	Yes

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-006 Vendor Advisory ([email protected])