CVE-2025-22251

An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-287

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de restricción incorrecta del canal de comunicación a los endpoints previstos [CWE-923] en FortiOS 7.6.0, 7.4.0 a 7.4.5, 7.2 todas las versiones, 7.0 todas las versiones, 6.4 todas las versiones puede permitir que un atacante no autenticado inyecte sesiones no autorizadas a través de paquetes de sincronización de sesión FGSP manipulados.

10 Jun 2025, 17:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 17:21

Updated : 2025-06-12 16:06

NVD link : CVE-2025-22251

Mitre link : CVE-2025-22251

CVE.ORG link : CVE-2025-22251

JSON object : View

Products Affected

No product.

CWE

CWE-923

Improper Restriction of Communication Channel to Intended Endpoints

3.1 /10