CVE-2025-22251 Overview
CVE-2025-22251 affects multiple versions of Fortinet FortiOS and involves an improper restriction of communication channel to intended endpoints [CWE-923]. The flaw resides in the FortiGate Session Life Support Protocol (FGSP) session synchronization component. An unauthenticated remote attacker can inject unauthorized sessions by sending crafted FGSP synchronization packets to a vulnerable device. The vulnerability carries a CVSS score of 5.3 and impacts integrity without requiring authentication or user interaction. Affected releases include FortiOS 7.6.0, 7.4.0 through 7.4.5, and all versions in the 7.2, 7.0, and 6.4 branches.
Critical Impact
Unauthenticated attackers can inject session state into FortiOS clusters through crafted FGSP packets, potentially altering routing or session tables without any credentials.
Affected Products
- Fortinet FortiOS 7.6.0
- Fortinet FortiOS 7.4.0 through 7.4.5
- Fortinet FortiOS 7.2, 7.0, and 6.4 (all versions)
Discovery Timeline
- 2025-06-10 - CVE-2025-22251 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-22251
Vulnerability Analysis
The vulnerability originates in the FGSP implementation used by FortiOS to synchronize session tables between clustered FortiGate appliances. FGSP replicates active session state so that peer devices can transparently take over traffic during failover. The affected implementation does not sufficiently restrict which endpoints may participate in the synchronization channel, categorized under CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints).
Because the synchronization channel accepts crafted packets from unintended peers, an attacker with network reachability to the FGSP listener can inject arbitrary session entries. Injected sessions may bypass firewall policy decisions by making the firewall believe traffic belongs to an already-established, sanctioned flow. The CVSS vector indicates integrity impact only, with no direct effect on confidentiality or availability.
Root Cause
The root cause is missing or insufficient validation of the source of FGSP session synchronization packets. FortiOS trusted the FGSP channel as an internal communication path without enforcing strict authentication or peer identity verification for incoming synchronization messages.
Attack Vector
Exploitation requires network access to the FGSP synchronization interface of a vulnerable FortiGate device. The attacker crafts FGSP packets that mimic legitimate peer traffic and directs them at the target. On processing, FortiOS accepts the packets as valid synchronization data and installs attacker-defined session entries. No authentication, user interaction, or elevated privileges are required.
No public proof-of-concept exploit has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.337% (25.66th percentile) as of 2026-07-07.
Detection Methods for CVE-2025-22251
Indicators of Compromise
- Unexpected FGSP session synchronization traffic originating from hosts that are not configured cluster peers.
- Session table entries on FortiGate devices that do not correspond to observed policy matches or logged connection setups.
- Anomalous traffic flows traversing the firewall that appear to bypass expected policy enforcement.
Detection Strategies
- Inspect FortiOS session tables using diagnose sys session list and compare against expected traffic baselines for unexplained entries.
- Monitor network segments carrying FGSP traffic for packets sourced from IP addresses outside the sanctioned cluster peer list.
- Correlate firewall policy hit counters with session table growth to identify sessions that were not created through normal policy evaluation.
Monitoring Recommendations
- Forward FortiOS event and traffic logs to a centralized analytics platform for continuous review of session anomalies.
- Alert on FGSP-related log entries referencing unknown or unauthorized peer identifiers.
- Track configuration changes to HA and FGSP peer settings to detect unauthorized modifications.
How to Mitigate CVE-2025-22251
Immediate Actions Required
- Apply the fixed FortiOS releases identified in Fortinet Security Advisory FG-IR-24-287.
- Restrict network reachability to FGSP synchronization interfaces so only authorized cluster peers can send packets to them.
- Audit existing FGSP peer configurations and remove any entries that are no longer required.
Patch Information
Fortinet has published remediation guidance in advisory FG-IR-24-287. Administrators should upgrade FortiOS to the fixed versions listed by Fortinet for each affected branch. Refer to the Fortinet Security Advisory FG-IR-24-287 for exact patched version numbers and upgrade paths.
Workarounds
- Isolate FGSP synchronization traffic on a dedicated, physically or logically segmented management network unreachable from user or internet segments.
- Apply firewall or access control lists on upstream infrastructure to permit FGSP traffic only between known cluster peer addresses.
- Where FGSP is not required, disable the feature until affected devices can be upgraded.
# Example: restrict FGSP peer configuration to explicit trusted addresses
config system cluster-sync
edit 1
set peerip <trusted_peer_ip>
set syncvd <vdom_name>
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

