Security researchers have discovered several dangerous vulnerabilities in popular Fortinet products, with the most severe allowing attackers to completely bypass authentication and gain unauthorized administrative access to critical network infrastructure devices.

Critical Authentication Bypass in Multiple Fortinet Products

A particularly concerning authentication bypass vulnerability identified as CVE-2025-22252 has been found affecting several Fortinet networking products. This critical security flaw impacts Fortinet devices configured to use TACACS+ with ASCII authentication, creating a significant risk for organizations worldwide.

Severity and Impact

The vulnerability is especially dangerous because it allows attackers who know existing administrator account names to access devices as legitimate administrators, completely circumventing the normal authentication process. Once exploited, this flaw potentially grants unauthorized users complete control over network infrastructure devices, enabling them to:

  • Access sensitive configuration settings
  • Modify network security policies
  • Execute privileged commands
  • Potentially compromise the entire network

Security researchers Vital and Matheus Maia discovered and responsibly reported this vulnerability to Fortinet, highlighting the critical role of security research in protecting enterprise infrastructure.

Affected Products and Versions

The Fortinet authentication bypass vulnerability affects specific versions of multiple products:

  • FortiOS 7.6.0
  • FortiOS 7.4.4 through 7.4.6
  • FortiProxy 7.6.0 to 7.6.1
  • FortiSwitchManager 7.2.5

Unaffected Versions

It’s important to note that earlier versions of these products are not affected by this vulnerability:

  • FortiOS 7.2, 7.0, and 6.4
  • FortiProxy 7.4, 7.2, 7.0, and 2.0
  • FortiSwitchManager 7.0

Immediate Remediation Steps

Patched Versions Available

Fortinet has released security updates to address this critical vulnerability. Organizations should update immediately to these patched versions:

  • FortiOS 7.6.1 or higher
  • FortiOS 7.4.7 or higher
  • FortiProxy 7.6.2 or later
  • FortiSwitchManager 7.2.6 or later

Temporary Workaround

For organizations unable to update immediately, Fortinet has provided an alternative mitigation strategy. Administrators can configure their devices to use different authentication methods that are not vulnerable to this exploit:

  • Switch from ASCII authentication to PAP, MSCHAP, or CHAP authentication methods
  • Implement this change through the command line interface by modifying the TACACS+ configuration

Technical Details of the Vulnerability

TACACS+ Protocol Vulnerability

The security flaw specifically affects configurations where ASCII authentication is used with the TACACS+ protocol. TACACS+ (Terminal Access Controller Access-Control System Plus) is a remote authentication protocol that provides centralized access control for network devices.

The vulnerability exists because ASCII authentication handles credential transmission differently than other methods like PAP, MSCHAP, and CHAP. This specific implementation difference creates the security gap that allows for authentication bypass.

Why This Matters

This vulnerability is particularly concerning for several reasons:

  1. Authentication systems are the first line of defense for network infrastructure
  2. Compromised networking equipment can lead to lateral movement throughout an organization
  3. Administrative access to networking equipment can enable traffic interception and man-in-the-middle attacks
  4. Attackers could potentially erase logs to hide evidence of compromise

Additional Fortinet Security Issues

Beyond the authentication bypass vulnerability, Fortinet has also addressed a zero-day vulnerability in FortiVoice products that was being actively exploited in the wild. This separate vulnerability allowed attackers to execute arbitrary code on affected systems.

Fortinet has released a security advisory for this issue as well, including Indicators of Compromise (IoCs) to help organizations determine if they’ve been affected by this exploit.

Recommended Security Practices

Organizations using Fortinet products should:

  1. Conduct an immediate inventory of all deployed Fortinet devices
  2. Verify configuration settings to determine if TACACS+ with ASCII authentication is in use
  3. Implement patches as quickly as possible to affected systems
  4. Monitor logs for suspicious authentication attempts
  5. Consider implementing network segmentation to limit potential damage from compromised devices
  6. Review account privileges to ensure principle of least privilege is followed

Industry Impact

This vulnerability highlights the ongoing security challenges facing network infrastructure providers. As network equipment increasingly serves as the backbone for critical operations across industries, securing these devices becomes paramount.

The discovery serves as a reminder that even well-established security vendors can have critical vulnerabilities in their products, emphasizing the importance of:

  • Regular security updates
  • Defense-in-depth strategies
  • Independent security audits
  • Proactive vulnerability management

Organizations using Fortinet products should take immediate action to protect their networks from this significant security threat before attackers can exploit this authentication bypass vulnerability in their environments.

Share this post

Author

Editorial Team
Editorial Team
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape

Comments