VTA-004515 – Fortinet Devices Exposed by Critical Authentication Bypass

A severe security flaw in multiple Fortinet products allows attackers to bypass authentication and gain administrative access to vulnerable systems. The vulnerability, identified as CVE-2025-22252, affects FortiOS, FortiProxy, and FortiSwitchManager when configured with TACACS+ ASCII authentication.

Attackers exploiting this flaw can impersonate legitimate administrators without needing valid credentials, granting them full control over affected devices. Researchers said this poses a major risk as compromised systems could lead to further network breaches, data theft, or service disruptions.

Affected versions include:
FortiOS 7.6.0, 7.4.4 to 7.4.6
FortiProxy 7.6.0 to 7.6.1
FortiSwitchManager 7.2.5

Patched versions are available, and organizations are urged to update immediately. For those unable to patch, switching to alternative authentication methods like PAP, MSCHAP, or CHAP is recommended.

Severity:
Medium

Attack Surface:
Endpoint, Infrastructure, Remote Access Service, Server OS, System Management Service

Tactics:
Defense Evasion, Initial Access, Lateral Movement, Privilege Escalation

Techniques:
T1068 – Exploitation for Privilege Escalation
T1210 – Exploitation of Remote Services
T1078 – Valid Accounts
T1548 – Abuse Elevation Control Mechanism

References:
1.https://fortiguard.fortinet.com/psirt/FG-IR-24-472

SuperPRO’s Threat Countermeasures Procedures:
1. Immediately upgrade to FortiOS 7.6.1, 7.4.7 or later
2. Update FortiProxy to version 7.6.2 or above
3. Patch FortiSwitchManager to version 7.2.6 or higher
4. Replace TACACS+ ASCII authentication with PAP, MSCHAP, or CHAP if patching is delayed.
5. Monitor network traffic for unusual admin login attempts.
6. Restrict access to management interfaces to trusted IP addresses only.
7. Review and audit administrative accounts for unauthorized changes.
8. Apply multi-factor authentication (MFA) where possible to add an extra security layer.

Contributed by: Fatini