プラットフォーム
fortinet
コンポーネント
fortios
修正版
7.6.2
7.4.7
7.2.11
7.0.17
6.4.16
7.6.2
7.4.8
7.6.2
7.4.7
CVE-2025-22254 is an Improper Privilege Management vulnerability (CWE-269) affecting FortiOS, FortiProxy, and FortiWeb. This flaw allows an authenticated attacker with at least read-only administrator permissions to escalate their privileges to super-administrator, granting them full control over the affected system. The vulnerability impacts FortiOS versions 6.4.0 through 7.6.1, FortiProxy versions 7.4.0 through 7.6.1, and FortiWeb versions 7.4.0 through 7.6.1. A fix is available in updated versions.
Successful exploitation of CVE-2025-22254 allows an attacker to bypass access controls and gain complete administrative control over the affected Fortinet device. This includes the ability to modify firewall policies, create new users with elevated privileges, access sensitive data, and potentially pivot to other systems within the network. The impact is particularly severe in environments where read-only administrator accounts are commonly used for monitoring or limited access purposes, as these accounts can be easily compromised to achieve full system control. The attack leverages a flaw in the Node.js websocket module, highlighting the importance of securing all components of a complex security appliance.
CVE-2025-22254 was publicly disclosed on June 10, 2025. The vulnerability's impact is considered Medium, and its exploitation probability is currently assessed as low due to the requirement for authenticated access. No public proof-of-concept exploits have been released at the time of this writing, but the vulnerability's ease of exploitation could change this. Monitor CISA KEV and security advisories for updates.
Organizations heavily reliant on Fortinet FortiOS, FortiProxy, or FortiWeb appliances are at risk. Specifically, deployments utilizing read-only administrator accounts for monitoring or limited access, and those running vulnerable versions (6.4.0-7.6.1 for FortiOS, 7.4.0-7.6.1 for FortiProxy, and 7.4.0-7.6.1 for FortiWeb) are particularly vulnerable. Shared hosting environments using these appliances also face increased risk.
• fortinet: Examine FortiOS system logs for unusual websocket requests or attempts to modify system configurations by read-only administrators.
Get-WinEvent -LogName Security -FilterXPath '//Event[System[Provider[@Name='Fortinet FortiOS']]]'• linux / server: Monitor Fortinet device logs using journalctl for suspicious activity related to the Node.js websocket module.
journalctl -u fortinet -f | grep "websocket"• generic web: Use curl to test the websocket endpoint and observe the response for any unexpected behavior.
curl -v wss://<fortigate_ip>/node.js/websocketdisclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-22254 is to upgrade to a patched version of FortiOS, FortiProxy, or FortiWeb. Fortinet has released updates to address this vulnerability. If immediate patching is not possible, consider restricting access to the Node.js websocket module or implementing stricter authentication controls for read-only administrator accounts. Review existing firewall policies and user permissions to identify and remove any unnecessary privileges. Monitor system logs for suspicious activity, particularly requests originating from unusual sources or targeting the Node.js websocket module. After upgrade, confirm by verifying that the user with read-only permissions no longer has the ability to escalate privileges.
Actualice FortiOS a una versión corregida que no esté dentro de los rangos de versiones afectadas. Consulte el advisory de Fortinet para obtener más detalles sobre las versiones corregidas y las instrucciones de actualización.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-22254 is a vulnerability in FortiOS, FortiProxy, and FortiWeb that allows authenticated read-only admins to gain super-admin privileges via crafted websocket requests.
You are affected if you are running FortiOS 6.4.0-7.6.1, FortiProxy 7.4.0-7.6.1, or FortiWeb 7.4.0-7.6.1.
Upgrade to a patched version of FortiOS, FortiProxy, or FortiWeb as recommended by Fortinet. Check their security advisories for specific version details.
As of June 10, 2025, no public exploits have been released, but the vulnerability's ease of exploitation means active exploitation is possible.
Refer to the official Fortinet security advisory on their website for detailed information and mitigation steps: [https://www.fortinet.com/security/advisory/fortinet-security-advisory/CVE-2025-22254](https://www.fortinet.com/security/advisory/fortinet-security-advisory/CVE-2025-22254)