Improperly implemented security check for standard in FortiOS and FortiProxy - CVE-2025-25255
Published: October 14, 2025
Vulnerability identifier: #VU117133
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-25255
CWE-ID: CWE-358
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiOS
FortiProxy
FortiOS
FortiProxy
Detailed vulnerability description
The vulnerability allows a remote authenticated user to manipulate data.
The vulnerability exists due to improperly implemented security check for standard in explicit web proxy. An authenticated proxy user can bypass the domain fronting protection feature via crafted HTTP requests.
How to mitigate CVE-2025-25255
Install update from vendor's website.