The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22252

CVE-2025-22252: Fortinet FortiProxy Auth Bypass Vulnerability

CVE-2025-22252 is an authentication bypass flaw in Fortinet FortiProxy that allows attackers with knowledge of admin accounts to gain unauthorized access. This article covers technical details, affected versions, and mitigation.

Updated: May 14, 2026

CVE-2025-22252 Overview

CVE-2025-22252 is a missing authentication for critical function vulnerability [CWE-306] affecting multiple Fortinet products. The flaw exists in FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and 7.6.0. An attacker with knowledge of an existing admin account name can bypass authentication and access the device with valid administrator privileges. The vulnerability requires no user interaction and is exploitable over the network. Fortinet published the advisory FG-IR-24-472 on May 28, 2025.

Critical Impact

Successful exploitation grants full administrative access to affected Fortinet appliances, enabling configuration tampering, traffic interception, and pivoting into protected network segments.

Affected Products

  • Fortinet FortiProxy versions 7.6.0 through 7.6.1
  • Fortinet FortiSwitchManager version 7.2.5
  • Fortinet FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0

Discovery Timeline

  • 2025-05-28 - CVE-2025-22252 published to NVD
  • 2025-06-04 - Last updated in NVD database

Technical Details for CVE-2025-22252

Vulnerability Analysis

The vulnerability stems from a missing authentication check on a critical function within FortiOS, FortiProxy, and FortiSwitchManager. Affected builds fail to enforce credential validation for an administrative code path. An attacker who knows the name of an existing administrator account can present that identity and receive a valid administrative session without supplying valid credentials.

The weakness maps to [CWE-306] (Missing Authentication for Critical Function). The vulnerability is network-reachable wherever the management interface is exposed, including HTTPS administration, SSH, or API endpoints. Successful exploitation results in full compromise of confidentiality, integrity, and availability of the appliance.

Root Cause

A critical administrative function does not perform an authentication check before granting session privileges tied to the supplied admin account. The code path treats knowledge of a valid administrator username as sufficient proof of identity. This bypasses password, certificate, and multi-factor controls configured on the appliance.

Attack Vector

The attacker must reach the management interface of an affected device over the network and must know or guess a valid administrator account name. Default account names such as admin are common starting points. Once the attacker triggers the vulnerable code path, the appliance returns an authenticated administrator session. From that position, the attacker can modify firewall policies, create persistent accounts, export configuration, inspect VPN traffic, and disable logging.

No public proof-of-concept exploit code is currently available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication. Refer to the Fortinet Security Advisory FG-IR-24-472 for vendor technical detail.

Detection Methods for CVE-2025-22252

Indicators of Compromise

  • Administrator logins to FortiOS, FortiProxy, or FortiSwitchManager from unexpected source IPs, geographies, or at unusual hours.
  • Creation of new administrator accounts, modification of existing admin profiles, or changes to trusted host lists without a corresponding change ticket.
  • Disabled or modified logging configuration, syslog destinations, or audit settings shortly after an admin session.
  • Unexpected configuration changes to firewall policies, VPN settings, or routing tables that align with reconnaissance or persistence behavior.

Detection Strategies

  • Audit event log and admin log categories on affected appliances for successful admin logins that lack a corresponding authentication record or originate from unauthorized networks.
  • Correlate management plane authentication events with network flow data to detect access attempts to the administrative interface from non-management subnets.
  • Compare running configuration against a known-good baseline to identify unauthorized administrative modifications.

Monitoring Recommendations

  • Forward FortiOS, FortiProxy, and FortiSwitchManager logs to a centralized SIEM and alert on admin authentication anomalies.
  • Monitor for outbound connections from the appliance to unknown destinations, which can indicate post-compromise command and control.
  • Track configuration change events and require ticket correlation for any administrative modification.

How to Mitigate CVE-2025-22252

Immediate Actions Required

  • Upgrade affected appliances to fixed versions as specified in Fortinet Security Advisory FG-IR-24-472.
  • Restrict management interface exposure so that administrative services are reachable only from dedicated management networks or VPN.
  • Rotate all administrator credentials and review the administrator account list, removing unused or unknown accounts.
  • Review configuration backups taken before and after the disclosure window for unauthorized changes.

Patch Information

Fortinet has released fixed versions for FortiOS, FortiProxy, and FortiSwitchManager. Administrators should consult Fortinet Security Advisory FG-IR-24-472 for the specific patched build numbers that correspond to each affected product line and apply the upgrade through the standard Fortinet update process.

Workarounds

  • Limit administrative access using trusthost configuration entries so that admin accounts can only authenticate from approved IP ranges.
  • Disable HTTP and HTTPS administrative access on internet-facing interfaces and require VPN access for management.
  • Rename default administrator account names to reduce the attacker's ability to guess valid usernames required by this bypass.
bash
# Restrict admin account to specific management network (FortiOS CLI)
config system admin
    edit "admin"
        set trusthost1 10.10.0.0 255.255.255.0
        set trusthost2 0.0.0.0 0.0.0.0
    next
end

# Disable HTTP/HTTPS admin access on WAN interface
config system interface
    edit "wan1"
        unset allowaccess
        set allowaccess ping
    next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechFortinet Fortiproxy
  • SeverityHIGH
  • CVSS Score7.2
  • EPSS Probability0.24%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-306
  • Vendor Resources
  • Fortinet Security Advisory FG-IR-24-472
  • Related CVEs
  • CVE-2024-55591: Fortinet FortiProxy Auth Bypass Vulnerability
  • CVE-2025-24472: Fortinet FortiProxy Auth Bypass Vulnerability
  • CVE-2023-41677: Fortinet FortiProxy Auth Bypass Vulnerability
  • CVE-2024-23112: Fortinet FortiProxy Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English