CVE-2025-25253 – This vulnerability allows man-in-the-middle att... (How to Fix)

Q: What is the severity of CVE-2025-25253?

CVE-2025-25253 has a CVSS score of 7.5 (HIGH). This vulnerability allows man-in-the-middle attackers to intercept and tamper with connections to Fortinet's ZTNA proxy by exploiting improper certificate validation. It affects FortiProxy and FortiOS versions with ZTNA proxy enabled, potentially exposing sensitive data in transit.

📋 TL;DR

This vulnerability allows man-in-the-middle attackers to intercept and tamper with connections to Fortinet's ZTNA proxy by exploiting improper certificate validation. It affects FortiProxy and FortiOS versions with ZTNA proxy enabled, potentially exposing sensitive data in transit.

💻 Affected Systems

Products:

FortiProxy
FortiOS

Versions: FortiProxy: 7.6.1 and below, 7.4.8 and below, 7.2 all, 7.0 all. FortiOS: 7.6.2 and below, 7.4.8 and below, 7.2 all, 7.0 all.

Operating Systems: FortiOS (proprietary)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with ZTNA proxy functionality enabled and configured.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept and manipulate all ZTNA proxy traffic, potentially stealing credentials, session tokens, and sensitive data, or injecting malicious content.

🟠

Likely Case

Targeted interception of specific connections to steal authentication credentials or session information.

🟢

If Mitigated

Limited impact if ZTNA proxy is not exposed externally and internal network segmentation prevents MITM positioning.

🌐 Internet-Facing: HIGH - ZTNA proxies often handle external connections, making them prime targets for MITM attacks.

🏢 Internal Only: MEDIUM - Internal attackers with network access could still exploit this, but requires privileged positioning.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires man-in-the-middle network positioning, but no authentication needed once positioned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiProxy 7.6.2, 7.4.9, 7.2.8, 7.0.14. FortiOS 7.6.3, 7.4.9, 7.2.8, 7.0.14.

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-457

Restart Required: Yes

Instructions:

1. Download appropriate firmware from Fortinet support portal. 2. Backup configuration. 3. Apply firmware update via GUI or CLI. 4. Reboot device. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable ZTNA Proxy

all

Temporarily disable ZTNA proxy functionality if not required.

config firewall proxy-policy
edit <policy_id>
set status disable
end

Restrict Network Access

all

Limit network access to ZTNA proxy to trusted segments only.

config firewall policy
edit <policy_id>
set srcintf <trusted_interface>
set srcaddr <trusted_address>
end

🧯 If You Can't Patch

Implement network segmentation to isolate ZTNA proxy traffic from untrusted networks.
Use additional certificate pinning or validation at application layer if supported by clients.

🔍 How to Verify

Check if Vulnerable:

Check if ZTNA proxy is enabled and version matches affected range via GUI or 'get system status' CLI command.

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify firmware version is patched and test certificate validation with host mismatch scenarios.

📡 Detection & Monitoring

Log Indicators:

Unusual certificate validation failures
Multiple connection resets from same source
ZTNA proxy access from unexpected IPs

Network Indicators:

Unexpected certificates in TLS handshakes
MITM tool signatures in network traffic
Abnormal traffic patterns to ZTNA proxy

SIEM Query:

source="fortigate" (eventtype="traffic" OR eventtype="utm") dest_port=* (msg="*certificate*" OR msg="*TLS*" OR msg="*SSL*")

📊 Metadata

CVE ID: CVE-2025-25253

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-297

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: October 14, 2025

Last Updated: October 15, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-24-457 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25253, you might also want to check these: