CVE-2025-22251: 
FortiOS vulnerability analysis and mitigation

An improper restriction of communication channel to intended endpoints vulnerability (CVE-2025-22251) was discovered in FortiOS. The vulnerability was internally discovered and reported by Greg Foletta of the Fortinet team and was initially published on June 10, 2025. The vulnerability affects multiple versions of FortiOS including 7.6.0, 7.4.0 through 7.4.5, and all versions of 7.2, 7.0, and 6.4 (Fortiguard PSIRT).

The vulnerability is classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) and has been assigned a CVSSv3.1 base score of 3.1 LOW with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires adjacent network access, has high attack complexity, requires no privileges or user interaction, has unchanged scope, and can only impact integrity at a low level (NVD).

The vulnerability may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP (FortiGate Session Protocol) session synchronization packets. The impact is primarily limited to integrity with no confidentiality or availability impacts (Fortiguard PSIRT).

Fortinet has released patches for affected versions and recommends upgrading to FortiOS 7.6.1 or above for 7.6 branch, and 7.4.6 or above for 7.4 branch. For versions 7.2, 7.0, and 6.4, users should migrate to a fixed release. As a workaround, administrators can create local-in policies to restrict access to port 708 only on FGSP session synchronization interface and to peers IP (Fortiguard PSIRT).