Skip to main content

FortiProxy and FortiOS CVE-2025-25253

HIGH
Improper Validation of Certificate with Host Mismatch (CWE-297)
2025-10-14 psirt@fortinet.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 10:30 vuln.today
CVE Published
Oct 14, 2025 - 16:15 nvd
HIGH 7.5

DescriptionCVE.org

An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions and FortiOS version 7.6.2 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections to the ZTNA proxy

AnalysisAI

Man-in-the-middle interception is possible against the ZTNA proxy in FortiProxy 7.6.1 and earlier, 7.4.8 and earlier, and all 7.2/7.0 versions, as well as FortiOS 7.6.2 and earlier, 7.4.8 and earlier, and all 7.2/7.0 versions, due to improper certificate-host validation (CWE-297). An adjacent network attacker in a privileged path-position can intercept and tamper with ZTNA proxy connections, undermining a control specifically deployed to enforce zero-trust authentication. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The flaw sits in the ZTNA (Zero Trust Network Access) proxy component shared by Fortinet's FortiProxy gateway and FortiOS (the operating system underpinning FortiGate devices). ZTNA proxies broker authenticated client-to-application sessions and are expected to perform strict TLS certificate validation, including verifying that the certificate presented by the peer matches the expected hostname. CWE-297 (Improper Validation of Certificate with Host Mismatch) means the proxy accepts a TLS certificate even when its subject/SAN does not match the intended host, so a forged or substituted certificate from an unrelated CA-trusted identity is treated as legitimate. Affected CPEs are cpe:2.3:a:fortinet:fortiproxy and cpe:2.3:o:fortinet:fortios across the version ranges enumerated by the vendor advisory FG-IR-24-457, and Siemens has cross-published an advisory (SSA-864900) indicating downstream exposure in industrial deployments that embed these Fortinet products.

RemediationAI

Patch available per vendor advisory FG-IR-24-457 - upgrade FortiProxy past 7.6.1 and 7.4.8 (and migrate off the still-vulnerable 7.2.x and 7.0.x branches, which require moving to a supported fixed train as exact fix versions for those legacy branches were not enumerated in the input data), and upgrade FortiOS past 7.6.2 and 7.4.8 with the same migration requirement for 7.2.x and 7.0.x; consult https://fortiguard.fortinet.com/psirt/FG-IR-24-457 for the exact fixed build numbers applicable to your branch. Siemens-managed deployments should also follow the guidance in https://cert-portal.siemens.com/productcert/html/ssa-864900.html. As compensating controls until patching is complete, consider disabling the ZTNA proxy feature where it is not strictly required (trade-off: loss of zero-trust access enforcement for any applications that depend on it), terminating ZTNA proxy traffic only over network paths you administratively control to deny the adjacent-network position required by AV:A (trade-off: reduced flexibility for remote users on untrusted segments), and tightening certificate pinning or restricting trusted issuers on ZTNA endpoints where the feature supports it (trade-off: increased certificate lifecycle management overhead).

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-24472 HIGH
8.1 Feb 11

FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do

CVE-2024-48884 CRITICAL
9.1 Jan 14

Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver

CVE-2022-40684 CRITICAL POC
9.8 Oct 18

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an

CVE-2024-21762 CRITICAL POC
9.8 Feb 09

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0

CVE-2023-25610 CRITICAL
9.8 Mar 24

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0

CVE-2023-42789 CRITICAL
9.8 Mar 12

A out-of-bounds write vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2024-23113 CRITICAL
9.8 Feb 15

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.

CVE-2023-33308 CRITICAL
9.8 Jul 26

A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3

CVE-2023-27997 CRITICAL
9.8 Jun 13

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, versi

CVE-2022-35843 CRITICAL
9.8 Dec 06

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0

Share

CVE-2025-25253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy