CVE-2025-22862 Overview
CVE-2025-22862 is an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting Fortinet FortiOS and FortiProxy. The flaw resides in the Automation Stitch component and allows an authenticated attacker to elevate privileges by triggering a malicious Webhook action. Successful exploitation grants the attacker higher privileges than originally authorized on the affected device.
Critical Impact
An authenticated attacker can escalate privileges on FortiOS and FortiProxy devices by abusing Webhook actions in Automation Stitch, leading to full compromise of confidentiality, integrity, and availability on the affected system.
Affected Products
- Fortinet FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, and 7.0.6 and above
- Fortinet FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, all 7.2 versions, and 7.0.5 and above
- Deployments using the Automation Stitch component with Webhook actions
Discovery Timeline
- 2025-10-02 - CVE-2025-22862 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2025-22862
Vulnerability Analysis
The vulnerability is classified as Authentication Bypass Using an Alternate Path or Channel [CWE-288]. The Automation Stitch feature in FortiOS and FortiProxy automates responses to system events using configurable triggers and actions. One supported action type is a Webhook, which issues HTTP requests to remote or local endpoints.
When an authenticated attacker crafts a malicious Webhook action, the request follows an execution path that does not enforce the privilege checks applied to standard administrative operations. The Webhook executes in a context with elevated privileges relative to the invoking user. This allows the attacker to perform actions normally restricted to higher-privileged accounts.
The CWE-288 classification indicates that authentication is enforced on the primary administrative interface but bypassed through this alternate Webhook channel. The result is a vertical privilege escalation from a low-privileged authenticated session to a higher administrative context.
Root Cause
The root cause is missing authorization enforcement on the Webhook action execution path within the Automation Stitch component. The Webhook handler does not validate that the invoking user holds sufficient privileges for the underlying operations the Webhook ultimately performs. Authorization is checked at the management interface boundary but not within the automation execution pipeline.
Attack Vector
The attack vector is local and requires high privileges on the device, meaning the attacker must already hold a valid administrative or operator account. The attacker configures or triggers an Automation Stitch with a Webhook action targeting a sensitive operation. When the stitch executes, the Webhook runs with elevated context, granting the attacker access beyond their assigned role. No user interaction is required for exploitation.
No public proof-of-concept exploit code is currently available for CVE-2025-22862. Refer to the Fortinet Security Advisory FG-IR-24-385 for vendor-supplied technical details.
Detection Methods for CVE-2025-22862
Indicators of Compromise
- Newly created or modified Automation Stitch entries containing Webhook actions, particularly those created by non-superadmin accounts
- Outbound HTTP or HTTPS requests originating from FortiOS or FortiProxy management processes to unusual or attacker-controlled endpoints
- Configuration changes or administrative actions executed shortly after a Webhook trigger event in system event logs
Detection Strategies
- Audit the running configuration for config system automation-stitch and config system automation-action entries, focusing on Webhook actions with suspicious URIs or HTTP headers
- Correlate administrator login events with subsequent automation stitch modifications to identify low-privileged accounts creating Webhook actions
- Review FortiAnalyzer or syslog records for automation event execution paired with privilege-sensitive configuration changes
Monitoring Recommendations
- Forward FortiOS and FortiProxy event logs to a centralized SIEM and alert on automation-stitch configuration changes by non-administrator accounts
- Monitor egress traffic from management interfaces for unexpected webhook destinations
- Track all administrative role changes and privilege assignments on affected devices to detect successful escalation
How to Mitigate CVE-2025-22862
Immediate Actions Required
- Upgrade affected FortiOS and FortiProxy instances to the fixed versions listed in Fortinet Security Advisory FG-IR-24-385
- Inventory all Automation Stitch configurations and remove unrecognized or unnecessary Webhook actions
- Restrict administrative account creation and enforce least-privilege role assignments on management interfaces
Patch Information
Fortinet has released fixed builds for affected branches of FortiOS and FortiProxy. Consult the Fortinet Security Advisory FG-IR-24-385 for the specific patched version corresponding to each affected release train. Apply the vendor-recommended upgrade path during your next maintenance window.
Workarounds
- If immediate patching is not feasible, disable or remove Webhook actions within the Automation Stitch configuration until the upgrade is completed
- Limit administrative access to the management interface using trusted host restrictions and dedicated management networks
- Enable multi-factor authentication for all administrative accounts to reduce the risk of credential compromise leading to exploitation
# Review and audit existing automation stitches and actions on FortiOS
show system automation-stitch
show system automation-action
# Remove a suspicious webhook action (replace <name> with the action identifier)
config system automation-action
delete <name>
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
