CVE-2025-25255

MEDIUM

Fortinet FortiOS <7.6.3 - Auth Bypass

Title source: llm

Description

An Improperly Implemented Security Check for Standard vulnerability [CWE-358] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0.1 through 7.0.22 may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.

References (1)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-24-372

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-358

Status published

Products (2)

fortinet/fortios 7.6.0 - 7.6.4

fortinet/fortiproxy 7.0.1 - 7.6.4

Published Oct 14, 2025

Tracked Since Feb 18, 2026