CVE-2025-22254 - Vulnerability Details

An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Fortinet	Fortios Fortiproxy Fortiweb

Configuration 1 [-]

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::

Configuration 2 [-]

OR	cpe:2.3:a:fortinet:fortiproxy::::::::
	cpe:2.3:a:fortinet:fortiproxy::::::::

Configuration 3 [-]

OR	cpe:2.3:a:fortinet:fortiweb::::::::
	cpe:2.3:a:fortinet:fortiweb::::::::

No data.

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-25-006

History

Wed, 14 Jan 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description	An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.	An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.
CPEs		cpe:2.3:a:fortinet:fortiproxy:7.4.0:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.1:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.2:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.3:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.4:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.5:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.6:::::::* cpe:2.3:a:fortinet:fortiproxy:7.4.7:::::::* cpe:2.3:a:fortinet:fortiproxy:7.6.0:::::::* cpe:2.3:a:fortinet:fortiproxy:7.6.1:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.0:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.1:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.2:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.3:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.4:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.5:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.6:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.0:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.1:::::::*

Tue, 22 Jul 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortinet fortiproxy Fortinet fortiweb
CPEs		cpe:2.3:a:fortinet:fortiproxy:::::::: cpe:2.3:a:fortinet:fortiweb:::::::: cpe:2.3:o:fortinet:fortios::::::::
Vendors & Products		Fortinet fortiproxy Fortinet fortiweb

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00054}`	epss `{'score': 0.00059}`

Tue, 10 Jun 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Jun 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description		An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.
First Time appeared		Fortinet Fortinet fortios
Weaknesses		CWE-269
CPEs		cpe:2.3:o:fortinet:fortios:6.4.0:::::::* cpe:2.3:o:fortinet:fortios:6.4.10:::::::* cpe:2.3:o:fortinet:fortios:6.4.11:::::::* cpe:2.3:o:fortinet:fortios:6.4.12:::::::* cpe:2.3:o:fortinet:fortios:6.4.13:::::::* cpe:2.3:o:fortinet:fortios:6.4.14:::::::* cpe:2.3:o:fortinet:fortios:6.4.15:::::::* cpe:2.3:o:fortinet:fortios:6.4.1:::::::* cpe:2.3:o:fortinet:fortios:6.4.2:::::::* cpe:2.3:o:fortinet:fortios:6.4.3:::::::* cpe:2.3:o:fortinet:fortios:6.4.4:::::::* cpe:2.3:o:fortinet:fortios:6.4.5:::::::* cpe:2.3:o:fortinet:fortios:6.4.6:::::::* cpe:2.3:o:fortinet:fortios:6.4.7:::::::* cpe:2.3:o:fortinet:fortios:6.4.8:::::::* cpe:2.3:o:fortinet:fortios:6.4.9:::::::* cpe:2.3:o:fortinet:fortios:7.0.0:::::::* cpe:2.3:o:fortinet:fortios:7.0.10:::::::* cpe:2.3:o:fortinet:fortios:7.0.11:::::::* cpe:2.3:o:fortinet:fortios:7.0.12:::::::* cpe:2.3:o:fortinet:fortios:7.0.13:::::::* cpe:2.3:o:fortinet:fortios:7.0.14:::::::* cpe:2.3:o:fortinet:fortios:7.0.15:::::::* cpe:2.3:o:fortinet:fortios:7.0.16:::::::* cpe:2.3:o:fortinet:fortios:7.0.1:::::::* cpe:2.3:o:fortinet:fortios:7.0.2:::::::* cpe:2.3:o:fortinet:fortios:7.0.3:::::::* cpe:2.3:o:fortinet:fortios:7.0.4:::::::* cpe:2.3:o:fortinet:fortios:7.0.5:::::::* cpe:2.3:o:fortinet:fortios:7.0.6:::::::* cpe:2.3:o:fortinet:fortios:7.0.7:::::::* cpe:2.3:o:fortinet:fortios:7.0.8:::::::* cpe:2.3:o:fortinet:fortios:7.0.9:::::::* cpe:2.3:o:fortinet:fortios:7.2.0:::::::* cpe:2.3:o:fortinet:fortios:7.2.10:::::::* cpe:2.3:o:fortinet:fortios:7.2.1:::::::* cpe:2.3:o:fortinet:fortios:7.2.2:::::::* cpe:2.3:o:fortinet:fortios:7.2.3:::::::* cpe:2.3:o:fortinet:fortios:7.2.4:::::::* cpe:2.3:o:fortinet:fortios:7.2.5:::::::* cpe:2.3:o:fortinet:fortios:7.2.6:::::::* cpe:2.3:o:fortinet:fortios:7.2.7:::::::* cpe:2.3:o:fortinet:fortios:7.2.8:::::::* cpe:2.3:o:fortinet:fortios:7.2.9:::::::* cpe:2.3:o:fortinet:fortios:7.4.0:::::::* cpe:2.3:o:fortinet:fortios:7.4.1:::::::* cpe:2.3:o:fortinet:fortios:7.4.2:::::::* cpe:2.3:o:fortinet:fortios:7.4.3:::::::* cpe:2.3:o:fortinet:fortios:7.4.4:::::::* cpe:2.3:o:fortinet:fortios:7.4.5:::::::* cpe:2.3:o:fortinet:fortios:7.4.6:::::::* cpe:2.3:o:fortinet:fortios:7.6.0:::::::* cpe:2.3:o:fortinet:fortios:7.6.1:::::::*
Vendors & Products		Fortinet Fortinet fortios
References		https://fortiguard.fortinet.com/psirt/FG-IR-25-006
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2025-06-10T16:36:17.127Z

Updated: 2026-01-14T13:46:40.890Z

Reserved: 2025-01-02T10:21:04.197Z

Link: CVE-2025-22254

Vulnrichment

Updated: 2025-06-10T18:30:26.720Z

NVD

Status : Modified

Published: 2025-06-10T17:21:08.420

Modified: 2026-01-14T14:16:11.733

Link: CVE-2025-22254

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object