CVE-2025-22862
MediumCVSS 6.7Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
FortiOS and FortiProxy have an authentication bypass vulnerability that may allow an authenticated attacker to elevate their privileges by triggering a malicious Webhook action in the Automation Stitch component.
Risk Assessment
An attacker with existing access could gain elevated privileges, posing a serious threat to the security of the system and organizational data.
Recommendation
It is recommended to update to the latest version of FortiOS and FortiProxy to mitigate this vulnerability and to monitor logs for potential exploitation attempts.
Original NVD description (English source)
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component.

