CVE-2025-22252: 
FortiOS vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2025-22252) was discovered in FortiOS, FortiProxy, and FortiSwitchManager products. The vulnerability affects systems configured to use TACACS+ with ASCII authentication on remote TACACS+ servers. It was initially disclosed on May 13, 2025, and received a Critical severity rating with a CVSSv3 score of 9.0. The affected versions include FortiOS 7.6.0 and 7.4.4-7.4.6, FortiProxy 7.6.0-7.6.1, and FortiSwitchManager 7.2.5 (Fortiguard PSIRT).

The vulnerability is classified as a missing authentication for critical function vulnerability (CWE-306). When TACACS+ is configured to use a remote TACACS+ server with ASCII authentication enabled, the system becomes vulnerable to authentication bypass. The vulnerability specifically affects the GUI component of the affected products. Notably, configurations using PAP, MSCHAP, and CHAP authentication methods are not impacted by this vulnerability (Fortiguard PSIRT).

If successfully exploited, this vulnerability allows an attacker with knowledge of an existing admin account to bypass authentication and access the device with valid administrative privileges. This results in a significant escalation of privilege scenario that could compromise the security of the affected systems (Fortiguard PSIRT).

Fortinet has released patches for all affected versions and recommends upgrading to FortiOS 7.6.1 or above, FortiProxy 7.6.2 or above, and FortiSwitchManager 7.2.6 or above. As a workaround, administrators can configure an alternate authentication method by setting authen-type to pap, mschap, or chap, or by unsetting the authen-type parameter. The upgrade path can be determined using Fortinet's upgrade tool (Fortiguard PSIRT).

The vulnerability was responsibly disclosed by security researchers Cam B from Vital and Matheus Maia from NBS Telecom. Fortinet acknowledged their contribution in identifying and reporting this security issue (Fortiguard PSIRT).