FortiProxy and FortiOS
CVE-2025-25253
HIGH
Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions and FortiOS version 7.6.2 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections to the ZTNA proxy
AnalysisAI
Man-in-the-middle interception is possible against the ZTNA proxy in FortiProxy 7.6.1 and earlier, 7.4.8 and earlier, and all 7.2/7.0 versions, as well as FortiOS 7.6.2 and earlier, 7.4.8 and earlier, and all 7.2/7.0 versions, due to improper certificate-host validation (CWE-297). An adjacent network attacker in a privileged path-position can intercept and tamper with ZTNA proxy connections, undermining a control specifically deployed to enforce zero-trust authentication. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The flaw sits in the ZTNA (Zero Trust Network Access) proxy component shared by Fortinet's FortiProxy gateway and FortiOS (the operating system underpinning FortiGate devices). ZTNA proxies broker authenticated client-to-application sessions and are expected to perform strict TLS certificate validation, including verifying that the certificate presented by the peer matches the expected hostname. CWE-297 (Improper Validation of Certificate with Host Mismatch) means the proxy accepts a TLS certificate even when its subject/SAN does not match the intended host, so a forged or substituted certificate from an unrelated CA-trusted identity is treated as legitimate. Affected CPEs are cpe:2.3:a:fortinet:fortiproxy and cpe:2.3:o:fortinet:fortios across the version ranges enumerated by the vendor advisory FG-IR-24-457, and Siemens has cross-published an advisory (SSA-864900) indicating downstream exposure in industrial deployments that embed these Fortinet products.
RemediationAI
Patch available per vendor advisory FG-IR-24-457 - upgrade FortiProxy past 7.6.1 and 7.4.8 (and migrate off the still-vulnerable 7.2.x and 7.0.x branches, which require moving to a supported fixed train as exact fix versions for those legacy branches were not enumerated in the input data), and upgrade FortiOS past 7.6.2 and 7.4.8 with the same migration requirement for 7.2.x and 7.0.x; consult https://fortiguard.fortinet.com/psirt/FG-IR-24-457 for the exact fixed build numbers applicable to your branch. Siemens-managed deployments should also follow the guidance in https://cert-portal.siemens.com/productcert/html/ssa-864900.html. As compensating controls until patching is complete, consider disabling the ZTNA proxy feature where it is not strictly required (trade-off: loss of zero-trust access enforcement for any applications that depend on it), terminating ZTNA proxy traffic only over network paths you administratively control to deny the adjacent-network position required by AV:A (trade-off: reduced flexibility for remote users on untrusted segments), and tightening certificate pinning or restricting trusted issuers on ZTNA endpoints where the feature supports it (trade-off: increased certificate lifecycle management overhead).
More in Fortiproxy
View allFortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do
Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
A out-of-bounds write vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.
A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, versi
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today