CVE-2025-25255

CWE-3585 documents5 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 93.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedOct 14

Description

An Improperly Implemented Security Check for Standard vulnerability [CWE-358] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0.1 through 7.0.22 may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDfortinet/fortiproxy7.0.1 — 7.6.4

▶CVEListV5fortinet/fortiproxy7.6.0 — 7.6.3+3

▶NVDfortinet/fortios7.6.0 — 7.6.4

▶CVEListV5fortinet/fortios7.6.0 — 7.6.3

🔴Vulnerability Details

CVEList

CVE-2025-25255: An Improperly Implemented Security Check for Standard vulnerability [CWE-358] vulnerability in Fortinet FortiOS 7↗2025-10-14

▶

GHSA

GHSA-mgv9-8jj6-qq93: An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiProxy 7↗2025-10-14

▶

📋Vendor Advisories

Fortinet

Domain fronting protection bypass in explicit web proxy↗2025-10-14

▶

Microsoft

In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX QProcess could execute a binary from the current working directory when not found in the PATH.↗2022-02-08

▶