CVE-2025-22251

LOW

FortiOS <7.6.0 - SSRF

Title source: llm

Description

An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.

References (1)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-24-287

Scores

CVSS v3 3.1

EPSS 0.0008

EPSS Percentile 22.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-923

Status published

Affected Products (2)

fortinet/fortios < 7.4.6

fortinet/fortios

Timeline

Published Jun 10, 2025

Tracked Since Feb 18, 2026