Fortinet has revealed a critical security vulnerability that allows attackers to bypass authentication and gain full administrative access to affected devices. The vulnerability, CVE-2025-22252, impacts FortiOS, FortiProxy, and FortiSwitchManager products that use TACACS+ with ASCII authentication.
What the Vulnerability Does
This flaw enables attackers, armed with knowledge of existing admin credentials, to gain unauthorized access to devices as legitimate administrators. The bypassing of authentication can lead to full control over network devices, risking data theft, service disruption, or further network penetration.
Affected Versions
Fortinet’s advisory lists the following vulnerable product versions:
- FortiOS 7.6.0, 7.4.4 to 7.4.6
- FortiProxy 7.6.0 to 7.6.1
- FortiSwitchManager 7.2.5
Earlier versions of these products are not affected by the vulnerability.
Recommended Actions
Fortinet urges users to upgrade to the following patched versions:
- FortiOS 7.6.1 or above
- FortiProxy 7.6.2 or above
- FortiSwitchManager 7.2.6 or above
For those unable to update immediately, a temporary workaround is available. Organizations can switch to alternative authentication methods like PAP, MSCHAP, or CHAP, which are unaffected.
Why ASCII Authentication Is the Issue
The flaw specifically affects ASCII authentication within TACACS+, a protocol used to manage access to routers and network devices. Other authentication methods like PAP and MSCHAP are not vulnerable.
Acknowledging the Researchers
Fortinet credited Cam B from Vital and Matheus Maia from NBS Telecom for discovering and responsibly reporting the vulnerability, underscoring the importance of the security research community.
Action Required
Organizations using the affected versions are urged to review their configurations and update immediately to protect their network infrastructure from potential exploitation.
