FortiOS authentication bypass vulnerabilities can expose critical infrastructure to administrative compromise. A newly disclosed flaw, CVE-2025-22252, affects multiple Fortinet products configured to use TACACS+ with ASCII authentication. The issue allows attackers to bypass login mechanisms and gain privileged access, putting entire network environments at risk.
Vulnerability Summary
- CVE ID: CVE-2025-22252
- Severity: Critical
- Type: Missing Authentication for Critical Function
- Affected Protocol: TACACS+ with ASCII authentication
Affected Products and Versions
Fortinet confirms the following versions are vulnerable:
- FortiOS: 7.6.0; 7.4.4 through 7.4.6
- FortiProxy: 7.6.0 through 7.6.1
- FortiSwitchManager: 7.2.5
The following versions are not affected:
- FortiOS: 7.2.x, 7.0.x, 6.4.x
- FortiProxy: 7.4.x, 7.2.x, 7.0.x, 2.0.x
- FortiSwitchManager: 7.0.x
Exploitation Details
The vulnerability affects only systems configured to use TACACS+ with ASCII authentication. If an attacker knows a valid admin username, they can bypass authentication entirely. The issue lies in the lack of a proper authentication check during login requests using this method.
Other authentication types (PAP, MSCHAP, CHAP) used with TACACS+ are not affected.
Attackers gaining administrative access through this flaw can modify configurations, access internal data, and escalate control across the network.
Mitigation and Patch Guidance
Fortinet has released updates that fully address this issue:
- FortiOS: Upgrade to 7.6.1 or later, or 7.4.7 or later
- FortiProxy: Upgrade to 7.6.2 or later
- FortiSwitchManager: Upgrade to 7.2.6 or later
If patching cannot be applied immediately, Fortinet recommends switching the authentication method from ASCII to PAP, MSCHAP, or CHAP. These can be configured through the CLI.
Technical Context
TACACS+ is a protocol used to enforce centralized authentication across network devices. ASCII authentication in TACACS+ transmits credentials in a format that, in this case, allows a logic flaw leading to bypass.
Organizations using centralized access controls based on this method should evaluate all configurations for exposure.
Additional Fortinet Security Updates
In addition to CVE-2025-22252, Fortinet recently patched a 0-day vulnerability in FortiVoice that was actively exploited. System administrators are advised to review all current Fortinet advisories and apply necessary mitigations.
Recommended Actions
Organizations using vulnerable Fortinet products with TACACS+ ASCII authentication must apply patches or reconfigure their authentication settings. The risk of administrative compromise is high, and delays in remediation may expose internal infrastructure to unauthorized access.