Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22254

CVE-2025-22254: Fortinet FortiOS Privilege Escalation

CVE-2025-22254 is a privilege escalation vulnerability in Fortinet FortiOS that allows authenticated attackers to gain super-admin access. This article covers the technical details, affected versions, and mitigation.

Published: April 15, 2026

CVE-2025-22254 Overview

CVE-2025-22254 is an Improper Privilege Management vulnerability (CWE-269) affecting multiple Fortinet products including FortiOS, FortiProxy, and FortiWeb. This privilege escalation flaw allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to the Node.js websocket module. The vulnerability affects network security appliances commonly deployed at enterprise perimeters, making it a significant concern for organizations relying on Fortinet infrastructure.

Critical Impact

Authenticated attackers can escalate from read-only admin to super-admin privileges, potentially gaining complete control over Fortinet security appliances and compromising entire network security infrastructure.

Affected Products

  • Fortinet FortiOS versions 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, and 6.4.0 through 6.4.15
  • Fortinet FortiProxy versions 7.6.0 through 7.6.1 and 7.4.0 through 7.4.7
  • Fortinet FortiWeb versions 7.6.0 through 7.6.1 and 7.4.0 through 7.4.6

Discovery Timeline

  • 2025-06-10 - CVE-2025-22254 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-22254

Vulnerability Analysis

This Improper Privilege Management vulnerability exists within the Node.js websocket module used by Fortinet's management interfaces. The flaw stems from insufficient privilege validation when processing websocket requests, allowing authenticated users with limited administrative access to manipulate their privilege context. An attacker with read-only administrative credentials can craft specific websocket requests that bypass the intended privilege boundaries, resulting in unauthorized elevation to super-admin status.

The attack is network-accessible and requires no user interaction, making it exploitable remotely once an attacker has obtained basic administrative credentials. While the prerequisite of requiring high privileges (read-only admin) reduces the attack surface compared to unauthenticated vulnerabilities, the ability to escalate to super-admin level represents a significant security breach for affected deployments.

Root Cause

The vulnerability originates from improper privilege management in the Node.js websocket module implementation. The affected code fails to properly validate and enforce privilege boundaries when handling websocket communications, allowing privilege context manipulation. This architectural weakness enables authenticated users to bypass role-based access controls and assume elevated privileges beyond their authorized scope.

Attack Vector

The attack leverages network-based access to the Fortinet device management interface. An attacker must first obtain valid administrative credentials with at least read-only permissions. Once authenticated, the attacker sends specially crafted requests to the Node.js websocket module. These malicious requests exploit the improper privilege management to escalate the attacker's session from read-only admin to super-admin privileges.

The vulnerability enables full confidentiality, integrity, and availability impact on the affected system. With super-admin access, an attacker could modify firewall rules, disable security features, exfiltrate configurations, create backdoor accounts, or pivot to attack other network resources protected by the compromised appliance.

Detection Methods for CVE-2025-22254

Indicators of Compromise

  • Unusual websocket activity patterns to Fortinet management interfaces, particularly from accounts with read-only privileges
  • Unexpected privilege escalation events or super-admin actions performed by accounts originally provisioned with limited permissions
  • Anomalous session behavior where read-only admin accounts execute configuration changes or administrative commands
  • Log entries showing administrative actions inconsistent with assigned user roles

Detection Strategies

  • Monitor Fortinet device logs for privilege escalation events and cross-reference with authorized user role assignments
  • Implement network traffic analysis to detect unusual websocket communication patterns to management interfaces
  • Configure SIEM rules to alert on administrative actions performed by accounts that should have read-only access
  • Audit user account permissions regularly and flag any discrepancies between assigned roles and observed actions

Monitoring Recommendations

  • Enable comprehensive logging on all Fortinet devices and centralize logs for correlation and analysis
  • Implement real-time alerting for any super-admin privilege assignments or escalations
  • Monitor websocket connections to management interfaces for abnormal request patterns or payloads
  • Review administrative access logs daily for suspicious activity, particularly focusing on read-only admin accounts

How to Mitigate CVE-2025-22254

Immediate Actions Required

  • Review the FortiGuard Security Advisory for the latest patch information and guidance
  • Update affected FortiOS, FortiProxy, and FortiWeb installations to patched versions as specified by Fortinet
  • Audit all administrative accounts and remove unnecessary read-only admin privileges where possible
  • Restrict management interface access to trusted networks and IP addresses only
  • Enable multi-factor authentication for all administrative access to Fortinet devices

Patch Information

Fortinet has released security updates to address this vulnerability. Organizations should consult the official FortiGuard Security Advisory (FG-IR-25-006) for specific patched version numbers and upgrade instructions. Priority should be given to internet-facing devices and those protecting critical infrastructure.

Workarounds

  • Restrict network access to Fortinet management interfaces using IP allowlists or dedicated management VLANs
  • Implement strict separation between management networks and production traffic to limit attacker access to administrative interfaces
  • Disable unused administrative accounts and enforce principle of least privilege for all remaining accounts
  • Consider temporarily disabling websocket functionality if operationally feasible until patches can be applied
bash
# Example: Restrict management interface access to trusted networks only
config system interface
    edit "mgmt"
        set allowaccess ping https ssh
        set trusted-host 10.0.0.0/8 192.168.1.0/24
    next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechFortinet Fortios
  • SeverityHIGH
  • CVSS Score7.2
  • EPSS Probability0.22%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-269
  • Vendor Resources
  • FortiGuard Security Advisory
  • Related CVEs
  • CVE-2025-24477: Fortinet FortiOS Privilege Escalation Flaw
  • CVE-2024-40591: Fortinet FortiOS Privilege Escalation Flaw
  • CVE-2025-53847: Fortinet FortiOS Auth Bypass Vulnerability
  • CVE-2025-25249: Fortinet FortiOS Buffer Overflow Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English