7.2

CVE-2025-22254

An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FortinetFortios Version >= 6.4.0 < 6.4.16
FortinetFortios Version >= 7.0.0 < 7.0.17
FortinetFortios Version >= 7.2.0 < 7.2.11
FortinetFortios Version >= 7.4.0 < 7.4.7
FortinetFortios Version >= 7.6.0 < 7.6.2
FortinetFortiproxy Version >= 7.4.0 < 7.4.8
FortinetFortiproxy Version >= 7.6.0 < 7.6.2
FortinetFortiweb Version >= 7.4.0 < 7.4.7
FortinetFortiweb Version >= 7.6.0 < 7.6.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.07% 0.203
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
psirt@fortinet.com 6.6 0.7 5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.