FortiOS Authentication Bypass Vulnerability Lets Attackers Take Full Control of Device

Fortinet has disclosed a significant security vulnerability affecting multiple Fortinet products, allowing attackers to bypass authentication and gain administrative access to affected systems.

The vulnerability, CVE-2025-22252 (Missing Authentication for Critical Function), affects FortiOS, FortiProxy, and FortiSwitchManager products configured to use TACACS+ with ASCII authentication.

This critical security flaw enables attackers with knowledge of existing admin accounts to access devices as legitimate administrators, completely bypassing the authentication process.

Security researchers have identified this as particularly dangerous because it allows unauthorized users to potentially gain complete control over network infrastructure devices, which could lead to further network penetration, data theft, or service disruption.

Affected Products and Versions

According to Fortinet’s security advisory, the following product versions are vulnerable:

• FortiOS 7.6.0
• FortiOS 7.4.4 through 7.4.6
• FortiProxy 7.6.0 through 7.6.1
• FortiSwitchManager 7.2.5

Earlier versions of these products, including FortiOS 7.2, 7.0, 6.4, FortiProxy 7.4, 7.2, 7.0, 2.0, and FortiSwitchManager 7.0, are not affected by this vulnerability.

Fortinet strongly recommends that organizations using affected configurations immediately upgrade to the patched versions:

• FortiOS 7.6.1 or above
• FortiOS 7.4.7 or above
• FortiProxy 7.6.2 or above
• FortiSwitchManager 7.2.6 or above

For organizations unable to update immediately, Fortinet has provided a temporary workaround by recommending the use of alternative authentication methods such as PAP, MSCHAP, or CHAP, which are not affected by this vulnerability.

Administrators can implement this change through their device’s command line interface by modifying the TACACS+ configuration.

It’s important to note that this vulnerability specifically affects configurations where ASCII authentication is used with TACACS+. TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network devices through centralized servers.

ASCII authentication transmits credentials differently than other methods like PAP, MSCHAP, and CHAP, which is why only the ASCII authentication method is affected by this vulnerability.

Fortinet credited security researchers Cam B from Vital and Matheus Maia from NBS Telecom with discovering and responsibly reporting this vulnerability, highlighting the importance of the security research community in identifying critical flaws before they can be widely exploited.

Fortinet also patched a FortiVoice 0-day Vulnerability Exploited in the Wild to Execute Arbitrary Code and shared IoC details.

Organizations using Fortinet products should review their configurations and take appropriate action immediately to secure their network infrastructure against this potential threat.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar

The post FortiOS Authentication Bypass Vulnerability Lets Attackers Take Full Control of Device appeared first on Cyber Security News.