Plattform
fortinet
Komponente
fortios
Behoben in
7.6.2
7.4.7
7.2.11
7.0.17
6.4.16
7.6.2
7.4.8
7.6.2
7.4.7
CVE-2025-22254 is an Improper Privilege Management vulnerability (CWE-269) affecting FortiOS, FortiProxy, and FortiWeb. This flaw allows an authenticated attacker with at least read-only administrator permissions to escalate their privileges to super-administrator, granting them full control over the affected system. The vulnerability impacts FortiOS versions 6.4.0 through 7.6.1, FortiProxy versions 7.4.0 through 7.6.1, and FortiWeb versions 7.4.0 through 7.6.1. A fix is available in updated versions.
Successful exploitation of CVE-2025-22254 allows an attacker to bypass access controls and gain complete administrative control over the Fortinet device. This includes the ability to modify configurations, access sensitive data, and potentially pivot to other systems within the network. The impact is particularly severe because the attacker only requires read-only admin privileges to initiate the exploit, a permission level often granted to numerous users for monitoring purposes. This vulnerability shares similarities with privilege escalation exploits targeting web application frameworks, where insufficient access controls can be leveraged to gain elevated privileges.
CVE-2025-22254 has been publicly disclosed and is currently not listed on the CISA KEV catalog. The EPSS score is likely to be assessed as medium due to the vulnerability's potential impact and the requirement for authentication. Public proof-of-concept (PoC) exploits are anticipated to emerge, increasing the risk of exploitation. The vulnerability was published on 2025-06-10.
Organizations heavily reliant on Fortinet FortiOS, FortiProxy, or FortiWeb appliances are at risk. Specifically, deployments utilizing read-only administrator accounts for monitoring or limited access, and those running vulnerable versions (6.4.0-7.6.1 for FortiOS, 7.4.0-7.6.1 for FortiProxy, and 7.4.0-7.6.1 for FortiWeb) are particularly vulnerable. Shared hosting environments using these appliances also face increased risk.
• fortinet: Examine FortiOS system logs for unusual websocket requests or attempts to modify system configurations by read-only administrators.
Get-WinEvent -LogName Security -FilterXPath '//Event[System[Provider[@Name='Fortinet FortiOS']]]'• linux / server: Monitor Fortinet device logs using journalctl for suspicious activity related to the Node.js websocket module.
journalctl -u fortinet -f | grep "websocket"• generic web: Use curl to test the websocket endpoint and observe the response for any unexpected behavior.
curl -v wss://<fortigate_ip>/node.js/websocketdisclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-22254 is to upgrade to a patched version of FortiOS, FortiProxy, or FortiWeb. Fortinet has released updates to address this vulnerability. If an immediate upgrade is not feasible, consider implementing stricter access controls to limit the number of users with read-only admin privileges. Review existing user permissions and remove any unnecessary access. While a WAF or proxy cannot directly prevent this privilege escalation, it can help detect and block suspicious requests associated with the exploit. Monitor Fortinet device logs for unusual activity or attempts to access privileged resources. After upgrade, confirm by verifying that the user account previously having read-only access no longer possesses super-admin privileges.
Actualice FortiOS a una versión corregida que no esté dentro de los rangos de versiones afectadas. Consulte el advisory de Fortinet para obtener más detalles sobre las versiones corregidas y las instrucciones de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-22254 is a vulnerability in FortiOS, FortiProxy, and FortiWeb that allows authenticated read-only admins to gain super-admin privileges via crafted websocket requests.
You are affected if you are running FortiOS 6.4.0-7.6.1, FortiProxy 7.4.0-7.6.1, or FortiWeb 7.4.0-7.6.1.
Upgrade to a patched version of FortiOS, FortiProxy, or FortiWeb as recommended by Fortinet. Check their security advisories for specific version details.
As of June 10, 2025, no public exploits have been released, but the vulnerability's ease of exploitation means active exploitation is possible.
Refer to the official Fortinet security advisory on their website for detailed information and mitigation steps: [https://www.fortinet.com/security/advisory/fortinet-security-advisory/CVE-2025-22254](https://www.fortinet.com/security/advisory/fortinet-security-advisory/CVE-2025-22254)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.