Fortinet FortiOS up to 7.6.0 FGSP communication channel to intended endpoints

Summaryinfo

A vulnerability, which was classified as problematic, was found in Fortinet FortiOS up to 6.4.16/7.0.17/7.2.11/7.4.5/7.6.0. Affected is an unknown function of the component FGSP Handler. Executing a manipulation can lead to communication channel to intended endpoints. This vulnerability is tracked as CVE-2025-22251. The attack is only possible within the local network. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Fortinet FortiOS up to 6.4.16/7.0.17/7.2.11/7.4.5/7.6.0. It has been declared as problematic. This vulnerability affects some unknown functionality of the component FGSP Handler. The manipulation with an unknown input leads to a communication channel to intended endpoints vulnerability. The CWE definition for the vulnerability is CWE-923. The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. As an impact it is known to affect integrity. CVE summarizes:

An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.

The advisory is shared for download at fortiguard.fortinet.com. This vulnerability was named CVE-2025-22251 since 01/02/2025. The exploitation appears to be difficult. The attack can only be initiated within the local network. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 238105 (Fortinet Fortigate Firewall session injection in FGSP (FG-IR-24-287)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (238105). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Firewall Software

Vendor

• Fortinet

Name

• FortiOS

Version

• 6.4.0
• 6.4.1
• 6.4.2
• 6.4.3
• 6.4.4
• 6.4.5
• 6.4.6
• 6.4.7
• 6.4.8
• 6.4.9
• 6.4.10
• 6.4.11
• 6.4.12
• 6.4.13
• 6.4.14
• 6.4.15
• 6.4.16
• 7.0
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.0.11
• 7.0.12
• 7.0.13
• 7.0.14
• 7.0.15
• 7.0.16
• 7.0.17
• 7.1
• 7.2
• 7.2.0
• 7.2.1
• 7.2.2
• 7.2.3
• 7.2.4
• 7.2.5
• 7.2.6
• 7.2.7
• 7.2.8
• 7.2.9
• 7.2.10
• 7.2.11
• 7.3
• 7.4
• 7.4.0
• 7.4.1
• 7.4.2
• 7.4.3
• 7.4.4
• 7.4.5
• 7.5
• 7.6.0

License

• commercial

Website

• Vendor: https://www.fortinet.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion