CVE-2025-22252: 
FortiOS vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2025-22252) was discovered in Fortinet products, specifically affecting FortiOS versions 7.4.4 through 7.4.6 and 7.6.0, FortiProxy versions 7.6.0 through 7.6.1, and FortiSwitchManager version 7.2.5. The vulnerability was initially disclosed on May 13, 2025, and involves a missing authentication mechanism for critical functions in TACACS+ configurations using ASCII authentication. This security flaw could potentially allow an attacker with knowledge of an existing admin account to bypass authentication and access the device with administrative privileges (Fortinet Advisory, NVD).

The vulnerability is classified as a 'Missing Authentication for Critical Function' (CWE-306) that specifically affects TACACS+ configurations when using ASCII authentication with remote TACACS+ servers. The severity of this vulnerability is rated as Critical with a CVSSv3 score of 9.0 according to Fortinet, while the NVD assessment rates it at 7.2 (HIGH). This discrepancy in scoring reflects different interpretations of the attack complexity and required privileges. The vulnerability is specifically limited to configurations where ASCII authentication is used, while PAP, MSCHAP, and CHAP authentication methods are not affected (Fortinet Advisory).

The successful exploitation of this vulnerability could lead to a significant security breach, allowing attackers to gain unauthorized administrative access to affected devices. This could result in complete system compromise and privilege escalation, potentially enabling attackers to take full control of the affected systems (Fortinet Advisory).

Fortinet has released patches to address this vulnerability and recommends upgrading to the following versions: FortiOS 7.6.1 or above for 7.6 branch, FortiOS 7.4.7 or above for 7.4 branch, FortiProxy 7.6.2 or above, and FortiSwitchManager 7.2.6 or above. As a temporary workaround, administrators can use alternate authentication methods such as PAP, MSCHAP, or CHAP, or unset the authentication type in the TACACS+ configuration. By default, when 'authen-type' is set to 'auto', ASCII authentication is not used and therefore not vulnerable (Fortinet Advisory).

The vulnerability was responsibly disclosed by security researchers Cam B from Vital and Matheus Maia from NBS Telecom. Fortinet has acknowledged their contribution in identifying and reporting this security issue (Fortinet Advisory).