Platform
fortinet
Component
fortios
Fixed in
7.6.2
7.4.7
7.2.11
7.0.17
6.4.16
7.6.2
7.4.8
7.6.2
7.4.7
CVE-2025-22254 is an Improper Privilege Management vulnerability (CWE-269) affecting FortiOS, FortiProxy, and FortiWeb. This flaw allows an authenticated attacker with at least read-only administrator permissions to escalate their privileges to super-administrator, granting them full control over the affected system. The vulnerability impacts FortiOS versions 6.4.0 through 7.6.1, FortiProxy versions 7.4.0 through 7.6.1, and FortiWeb versions 7.4.0 through 7.6.1. A fix is available in updated versions.
Successful exploitation of CVE-2025-22254 allows an attacker to bypass access controls and gain complete administrative control over the affected Fortinet device. This includes the ability to modify firewall policies, create new users with elevated privileges, access sensitive data, and potentially pivot to other systems within the network. The impact is particularly severe in environments where read-only administrator accounts are commonly used for monitoring or limited access purposes, as these accounts can be easily compromised to achieve full system control. The attack leverages a flaw in the Node.js websocket module, highlighting the importance of securing all components of a complex security appliance.
CVE-2025-22254 was publicly disclosed on June 10, 2025. The vulnerability's impact is considered Medium, and its exploitation probability is currently assessed as low due to the requirement for authenticated access. No public proof-of-concept exploits have been released at the time of this writing, but the vulnerability's ease of exploitation could change this. Monitor CISA KEV and security advisories for updates.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-22254 is to upgrade to a patched version of FortiOS, FortiProxy, or FortiWeb. Fortinet has released updates to address this vulnerability. If immediate patching is not possible, consider restricting access to the Node.js websocket module or implementing stricter authentication controls for read-only administrator accounts. Review existing firewall policies and user permissions to identify and remove any unnecessary privileges. Monitor system logs for suspicious activity, particularly requests originating from unusual sources or targeting the Node.js websocket module. After upgrade, confirm by verifying that the user with read-only permissions no longer has the ability to escalate privileges.
Actualice FortiOS a una versión corregida que no esté dentro de los rangos de versiones afectadas. Consulte el advisory de Fortinet para obtener más detalles sobre las versiones corregidas y las instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-22254 is a vulnerability in FortiOS, FortiProxy, and FortiWeb that allows authenticated read-only admins to gain super-admin privileges via crafted websocket requests.
You are affected if you are running FortiOS 6.4.0-7.6.1, FortiProxy 7.4.0-7.6.1, or FortiWeb 7.4.0-7.6.1.
Upgrade to a patched version of FortiOS, FortiProxy, or FortiWeb as recommended by Fortinet. Check their security advisories for specific version details.
As of June 10, 2025, no public exploits have been released, but the vulnerability's ease of exploitation means active exploitation is possible.
Refer to the official Fortinet security advisory on their website for detailed information and mitigation steps: [https://www.fortinet.com/security/advisory/fortinet-security-advisory/CVE-2025-22254](https://www.fortinet.com/security/advisory/fortinet-security-advisory/CVE-2025-22254)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.