What is CVE-2025-22252?

CVE-2025-22252 is a critical-severity vulnerability in Fortinet Fortios, classified under Missing Authentication for Critical Function. CVSS score: 9.0/10. Published 2025-05-28.

How severe is CVE-2025-22252?

Critical severity. CVSS v3 base score is 9.0 out of 10.

Is CVE-2025-22252 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Fortinet Fortios

CVE-2025-22252

A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 may allow an attacker with knowledge of an exi…

Vulnerability class: Broken Authentication

EPSS: 0.002 (47.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C.

Affected products

Fortinet Fortios — versions 7.6.0, 7.4.4
Fortinet Fortiproxy — versions 7.6.0
Fortinet Fortiswitchmanager — versions 7.2.5

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

Public proof-of-concept exploits

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-472

Frequently asked questions

What is CVE-2025-22252?: CVE-2025-22252 is a critical-severity vulnerability in Fortinet Fortios, classified under Missing Authentication for Critical Function. CVSS score: 9.0/10. Published 2025-05-28.
How severe is CVE-2025-22252?: Critical severity. CVSS v3 base score is 9.0 out of 10.
Is CVE-2025-22252 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.