Security Bulletin

Fortinet TACACS+ Vulnerability Alert – CVE-2025-22252: What You Need to Know

Written by Michael Webber | May 15, 2025 9:53:11 PM

At Logically, maintaining the security of your network is our mission.

We want to bring to your attention a recently disclosed Fortinet vulnerability identified as CVE-2025-22252 on May 13, 2025. This Fortinet CVE highlights a security issue involving TACACS+ authentication on specific Fortinet devices, including FortiGate firewalls and FortiProxy appliances.

Understanding CVE-2025-22252

This is an authentication bypass vulnerability affecting Fortinet products that utilize the TACACS+ protocol with ASCII authentication. TACACS+ is a centralized authentication method developed by Cisco, commonly used for managing administrative access and permissions across network devices.

Key Facts:

  • CVE ID: CVE-2025-22252
  • Impacted Products: FortiGate firewalls and FortiProxy appliances using TACACS+ with ASCII
  • Exploitability: Requires attacker to know an existing admin account for exploitation
  • Scope of Impact: Limited; most customer environments do not use TACACS+ in this configuration
Full advisory: Fortinet PSIRT FG-IR-24-472

Who Is Affected?

Only customers who have implemented TACACS+ authentication with ASCII on their Fortinet devices are affected. If your organization does not use this authentication method, this vulnerability is non-exploitable. Furthermore, devices running firmware versions 7.2.x and below are not impacted.

Recommended Firmware Upgrades

Fortinet has released patched firmware to address the vulnerability. At Logically, we recommend upgrading to the patched version as soon as possible.

Note: FortiOS Versions 7.4.4 through 7.4.6 are affected. Any devices operating on these firmware versions should be upgraded to 7.4.7. FortiOS Versions in the 7.2.x family are not affected.

If you cannot upgrade immediately, Fortinet has provided workaround instructions to temporarily mitigate the risk.

What Logically Is Doing

Our team is actively reviewing customer environments and has begun creating tickets for all devices operating on an affected firmware. Our goals are to:

  • Identify affected systems
  • Schedule firmware updates and/or implement workarounds
  • Communicate transparently and efficiently with impacted clients

If you are not a managed customer but need help applying a patch or verifying your vulnerability status, we offer assistance under billable support hours. Contact us directly at help@logically.com or call us at 866-946-9638 to get support or to discuss a transition to a managed security service.

Immediate Next Steps

If you're unsure whether your devices are vulnerable, take these steps:

  1. Audit your authentication methods on FortiGate or FortiProxy devices.
  2. Verify your firmware version and upgrade to the recommended release if applicable.
  3. Contact Logically for support with patching, verification, or workaround implementation.

Conclusion

Staying current with firmware updates and security advisories is key to protecting your environment. While this TACACS+ vulnerability has not been actively exploited to date, taking preventive action now will safeguard your network from potential misuse.

At Logically, we remain committed to keeping your systems protected and your teams informed. To discuss how Logically can support your security strategy, or to address any concerns about this vulnerability, please do not hesitate to contact us. Your vigilance and partnership help us build stronger, safer networks—one update at a time.
View full post