{"id":3555,"date":"2025-05-15T10:25:30","date_gmt":"2025-05-15T10:25:30","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3555"},"modified":"2025-05-15T10:25:31","modified_gmt":"2025-05-15T10:25:31","slug":"tacacs-authentication-bypass-flaw-exposes-devices-to-full-compromise","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/tacacs-authentication-bypass-flaw-exposes-devices-to-full-compromise\/","title":{"rendered":"TACACS+ Authentication Bypass Flaw Exposes Devices to Full Compromise\u00a0"},"content":{"rendered":"\n

Cybersecurity experts are concerned about a high-impact vulnerability in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager, designated as CVE-2025-22252. <\/p>\n\n\n\n

The vulnerability could allow the attacker to circumvent authentication and gain privileges as an administrator on enterprise networks that deploy Fortinet security appliances.\u00a0\u00a0<\/p>\n\n\n\n

What is CVE-2025-22252?\u00a0<\/h2>\n\n\n\n

CVE-2025-22252 is an authentication for critical function vulnerability with a CVSSv3 score of 9.0 for Fortinet products FortiOS, FortiProxy, and FortiSwitchManager that are set up to use TACACS+ with ASCII authentication. <\/p>\n\n\n\n

If it is exploited, an attacker with limited privileges can bypass authentication and obtain administrator privileges on the device.\u00a0<\/p>\n\n\n\n

Affected Products and Versions\u00a0<\/h2>\n\n\n\n

The critical vulnerability affects several Fortinet products that are set up to use TACACS+ with ASCII authentication. The vulnerability exists in FortiOS, FortiProxy, and FortiSwitchManager on identified firmware versions. <\/p>\n\n\n\n

The affected versions are FortiOS versions 7.6.0\u00a0or 7.4.4 to 7.4.6, FortiProxy 7.6.0 and 7.6.1, and FortiSwitchManager 7.2.5. Any version older than FortiOS 7.2, 7.0, or 6.4, or any earlier build of FortiProxy or FortiSwitchManager, is not affected by this vulnerability. <\/p>\n\n\n\n

Organizations impacted by this vulnerability should take action immediately by upgrading or implementing temporary mitigation.\u00a0<\/p>\n\n\n\n

Official Fixes and Recommendations\u00a0<\/h2>\n\n\n\n

Fortinet has rolled out firmware upgrades that fully address CVE-2025-22252. If you are using FortiOS, you should upgrade to v7.4.7 or v7.6.1 or higher. FortiProxy users should upgrade to at least v7.6.2. FortiSwitchManager users should upgrade to at least v7.2.6. <\/p>\n\n\n\n

If you are unable to patch immediately, Fortinet offers a workaround: change the authentication method to PAP, MSCHAP, or CHAP (any of those because they do not suffer from the vulnerability). <\/p>\n\n\n\n

This workaround can be completed through CLI configuration changes, and it was described as leveraging the benefit of the Fortinet products without the ability for anyone to access it as an administrator.\u00a0<\/p>\n\n\n\n

Why is this vulnerability so Dangerous?<\/h2>\n\n\n\n

CVE-2025-22252 is a high-severity vulnerability because it provides a complete authentication bypass to sensitive operations in Fortinet appliances. If an attacker knows an existing administrator username, they can trick the system into providing administrative access \u2014 they don’t need the password either! <\/p>\n\n\n\n

As a result, this flaw is incredibly dangerous in Enterprise environments, especially anywhere Fortinet firewalls, proxies, or switch managers are used to protect infrastructure. <\/p>\n\n\n\n

The attacker could fully exploit the experience of gaining full control over network security devices, exposing internal lateral movement through the system, exfiltrating concrete network data, and even disabling critical defenses with no significant traces (i.e., this is really bad news in terms of compromising infrastructure).\u00a0<\/p>\n\n\n\n

CVSS Scores and Risk Assessment\u00a0<\/h2>\n\n\n\n

Here are the vulnerability ratings that define the severity of CVE-2025-22252, helping security teams prioritize action: <\/p>\n\n\n\n