CVE-2025-22251Improper Restriction of Communication Channel to Intended Endpoints in Fortinet Fortios

CWE-923Improper Restriction of Communication Channel to Intended Endpoints4 documents4 sources
Severity
5.3MEDIUMNVD
CNA3.1
EPSS
0.2%
top 56.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortios
Timeline
PublishedJun 10

Description

An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDfortinet/fortios6.4.07.4.6+1
CVEListV5fortinet/fortios7.4.07.4.5+4

🔴Vulnerability Details

2
GHSA
GHSA-mp2w-h9wf-5497: An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 72025-06-10
CVEList
CVE-2025-22251: An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 72025-06-10

📋Vendor Advisories

1
Fortinet
Firewall session injection in FGSP2025-06-10
CVE-2025-22251 — Fortinet Fortios vulnerability | cvebase