Introduction
Intercepting and tampering with encrypted enterprise traffic is a real risk when certificate validation is improperly implemented. CVE-2025-25253 exposes FortiProxy and FortiOS ZTNA proxy deployments to man in the middle attacks due to a certificate host mismatch flaw, potentially undermining the security of remote access solutions in production environments.
Fortinet is a major global vendor of network security appliances, including FortiProxy and FortiOS, with a significant presence in enterprise and service provider networks. Their ZTNA (Zero Trust Network Access) solutions are widely adopted for secure remote access and application segmentation. Fortinet products are known for their breadth of features and are deployed in thousands of organizations worldwide.
Technical Information
CVE-2025-25253 is an improper validation of certificate with host mismatch vulnerability, classified as CWE-297. The flaw exists in the ZTNA proxy component of both FortiProxy and FortiOS. When a client initiates a connection to the ZTNA proxy, the software fails to properly verify that the certificate presented by the server matches the expected hostname for the connection. This allows an attacker positioned as a man in the middle to present a valid certificate for a different host, which the proxy incorrectly accepts. As a result, the attacker can intercept and potentially modify encrypted traffic between the client and the ZTNA proxy.
The vulnerability is limited to the ZTNA proxy functionality. There are no public code snippets or proof of concept details available. The root cause is a failure to enforce strict hostname verification during the certificate validation process, which is a critical requirement for secure TLS communications. This type of flaw is well documented in the security community and can have significant consequences for the confidentiality and integrity of network traffic.
Affected Systems and Versions
- FortiProxy version 7.6.1 and below
- FortiProxy version 7.4.8 and below
- FortiProxy 7.2 all versions
- FortiProxy 7.0 all versions
- FortiOS version 7.6.2 and below
- FortiOS version 7.4.8 and below
- FortiOS 7.2 all versions
- FortiOS 7.0 all versions
The vulnerability specifically affects the ZTNA proxy component. All configurations using ZTNA proxy in the above versions are vulnerable.
Vendor Security History
Fortinet has experienced several certificate validation and authentication vulnerabilities in its product lines, particularly affecting VPN and ZTNA features. The company maintains a dedicated Product Security Incident Response Team (PSIRT) and generally responds quickly to reported vulnerabilities, issuing advisories and patches in a timely manner. Notable past issues include improper certificate validation and authentication bypasses in FortiOS and FortiProxy. Some high and critical severity vulnerabilities in Fortinet products have been exploited in the wild, highlighting the importance of prompt patching.