TACACS+ Authentication Bypass Flaw Exposes Devices to Full Compromise 

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
CVE-2025-22252 Fortinet Security

Cybersecurity experts are concerned about a high-impact vulnerability in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager, designated as CVE-2025-22252.

The vulnerability could allow the attacker to circumvent authentication and gain privileges as an administrator on enterprise networks that deploy Fortinet security appliances.  

What is CVE-2025-22252? 

CVE-2025-22252 is an authentication for critical function vulnerability with a CVSSv3 score of 9.0 for Fortinet products FortiOS, FortiProxy, and FortiSwitchManager that are set up to use TACACS+ with ASCII authentication.

If it is exploited, an attacker with limited privileges can bypass authentication and obtain administrator privileges on the device. 

Affected Products and Versions 

The critical vulnerability affects several Fortinet products that are set up to use TACACS+ with ASCII authentication. The vulnerability exists in FortiOS, FortiProxy, and FortiSwitchManager on identified firmware versions.

The affected versions are FortiOS versions 7.6.0 or 7.4.4 to 7.4.6, FortiProxy 7.6.0 and 7.6.1, and FortiSwitchManager 7.2.5. Any version older than FortiOS 7.2, 7.0, or 6.4, or any earlier build of FortiProxy or FortiSwitchManager, is not affected by this vulnerability.

Organizations impacted by this vulnerability should take action immediately by upgrading or implementing temporary mitigation. 

Official Fixes and Recommendations 

Fortinet has rolled out firmware upgrades that fully address CVE-2025-22252. If you are using FortiOS, you should upgrade to v7.4.7 or v7.6.1 or higher. FortiProxy users should upgrade to at least v7.6.2. FortiSwitchManager users should upgrade to at least v7.2.6.

If you are unable to patch immediately, Fortinet offers a workaround: change the authentication method to PAP, MSCHAP, or CHAP (any of those because they do not suffer from the vulnerability).

This workaround can be completed through CLI configuration changes, and it was described as leveraging the benefit of the Fortinet products without the ability for anyone to access it as an administrator. 

Why is this vulnerability so Dangerous?

CVE-2025-22252 is a high-severity vulnerability because it provides a complete authentication bypass to sensitive operations in Fortinet appliances. If an attacker knows an existing administrator username, they can trick the system into providing administrative access — they don’t need the password either!

As a result, this flaw is incredibly dangerous in Enterprise environments, especially anywhere Fortinet firewalls, proxies, or switch managers are used to protect infrastructure.

The attacker could fully exploit the experience of gaining full control over network security devices, exposing internal lateral movement through the system, exfiltrating concrete network data, and even disabling critical defenses with no significant traces (i.e., this is really bad news in terms of compromising infrastructure). 

CVSS Scores and Risk Assessment 

Here are the vulnerability ratings that define the severity of CVE-2025-22252, helping security teams prioritize action: 

  • CVSS v3 Base Score: 9.8 (Critical) 
  • CVSS v3 Temporal Score: 8.5 
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
  • CVSS v2 Base Score: 10.0 (Critical) 
  • Temporal Score: 7.4 
  • Exploitability: No public exploits currently known 
  • Risk Factor: Critical (per Tenable and Fortinet assessment) 

What Security Teams Should Do Now?

  • Audit your Fortinet deployments – In particular, check for versions indicated as affected. 
  • Patch immediately – If you are running the vulnerable versions noted above. 
  • Use a recommended workaround, whenever possible – Consider alternative TACACS+ authentication methods if you’re not able to apply the patches. 
  • Monitor for unauthorized administrator logins – Set an alert for any suspicious logins. 
  • Run external vulnerability scans – If a scanner shows other flaws not patched by Fortinet the flaw or exploit can be added to the threat chain of unique vulnerability, and can be exploited. 

Stay Protected with SiteLock

Don’t let the attackers find the vulnerabilities in your network. Using SiteLock’s Vulnerability Scanning and Automated Patching solutions you can find, prioritize, and remediate existing security flaws similar to CVE-2025-22252 (and many others) before they are exploitable. 

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.