CVE-2025-22254: 
FortiOS vulnerability analysis and mitigation

An Improper Privilege Management vulnerability (CVE-2025-22254) was discovered in Fortinet products, specifically affecting FortiOS, FortiProxy, and FortiWeb. The vulnerability was disclosed on June 10, 2025, and received a CVSSv3 score of 6.5 (Medium severity). The affected systems include multiple versions of FortiOS (6.4.0-7.6.1), FortiProxy (7.4.0-7.6.1), and FortiWeb (7.4.0-7.6.1) (Fortinet PSIRT, NVD).

The vulnerability is classified as an Improper Privilege Management issue (CWE-269) in the GUI websocket module. It specifically involves the Node.js websocket module, where authenticated users with read-only admin permissions can potentially execute crafted requests to elevate their privileges. The vulnerability received a CVSS v3.1 Base Score of 6.6 MEDIUM with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (Fortinet PSIRT, NVD).

The primary impact of this vulnerability is the potential for privilege escalation. An authenticated attacker with at least read-only admin permissions can potentially gain super-admin privileges in the affected systems. This elevation of privileges could give attackers full control over the affected Fortinet devices (Fortinet PSIRT).

Fortinet has released patches for all affected versions. Users should upgrade to the following versions: FortiOS - version 7.6.2 or above, 7.4.7 or above, 7.2.11 or above, 7.0.17 or above, or 6.4.16 or above; FortiProxy - version 7.6.2 or above or 7.4.8 or above; FortiWeb - version 7.6.2 or above or 7.4.7 or above. Additionally, a virtual patch named 'FortiOS.NodeJS.Websocket.Authentication.Bypass' is available in FMWP db update 25.014 (Fortinet PSIRT).