{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25255", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2025-02-05T13:31:18.867Z", "datePublished": "2025-10-14T15:23:09.821Z", "dateUpdated": "2025-10-14T15:23:09.821Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiOS", "cpes": ["cpe:2.3:o:fortinet:fortios:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortios:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortios:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortios:7.6.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.6.0", "lessThanOrEqual": "7.6.3", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiProxy", "cpes": [], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.6.0", "lessThanOrEqual": "7.6.3", "status": "affected"}, {"versionType": "semver", "version": "7.4.0", "lessThanOrEqual": "7.4.11", "status": "affected"}, {"versionType": "semver", "version": "7.2.0", "lessThanOrEqual": "7.2.15", "status": "affected"}, {"versionType": "semver", "version": "7.0.1", "lessThanOrEqual": "7.0.21", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiProxy 7.6.0 through 7.6.3, 7.4 all versions, 7.2 all versions, 7.0.1 through 7.0.21, and FortiOS 7.6.0 through 7.6.3 explicit web proxy may allow an authenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2025-10-14T15:23:09.821Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-358", "description": "Improper access control", "type": "CWE"}]}], "solutions": [{"lang": "en", "value": "Upgrade to FortiOS version 7.6.4 or above\nUpgrade to FortiProxy version 7.6.4 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-372", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-372"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiProxy 7.6.0 through 7.6.3, 7.4 all versions, 7.2 all versions, 7.0.1 through 7.0.21, and FortiOS 7.6.0 through 7.6.3 explicit web proxy may allow an authenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests."}], "id": "CVE-2025-25255", "lastModified": "2025-10-14T19:36:29.240", "metrics": {}, "published": "2025-10-14T16:15:37.020", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-372"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}

{}