CVE-2025-22862 is a medium-severity vulnerability affecting multiple versions of Fortinet's FortiProxy and FortiOS products, specifically FortiOS versions 7.4.0 through 7.4.7, 7.2 all versions, 7.0.6 and above; and FortiProxy versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, and 7.0.5 and above. The vulnerability is categorized as an Authentication Bypass Using an Alternate Path or Channel (CWE-288). It allows an attacker who is already authenticated with limited privileges to escalate their privileges by exploiting the Automation Stitch component via a maliciously crafted Webhook action. This means that an attacker with some level of access to the system can bypass normal authentication controls and gain higher-level privileges, potentially administrative, without needing additional authentication or user interaction. The CVSS v3.1 base score is 6.3, indicating a medium severity level. The vector indicates that the attack requires local access (AV:L), low attack complexity (AC:L), high privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). The exploitability is partially functional (E:P), with no known exploits in the wild as of the publication date. The vulnerability arises from insufficient validation or control over webhook-triggered actions within the Automation Stitch feature, which is used for automating workflows and integrations in FortiProxy and FortiOS. By crafting a malicious webhook, an attacker can trigger unauthorized actions that elevate their privileges, potentially leading to full system compromise or unauthorized access to sensitive network traffic and configurations.

For European organizations, this vulnerability poses a significant risk given Fortinet's widespread use in enterprise network security infrastructure, including firewalls, proxies, and secure web gateways. Successful exploitation could allow an attacker with limited access—such as a low-privileged user or compromised internal account—to gain administrative control over FortiProxy or FortiOS devices. This could lead to interception or manipulation of network traffic, disruption of security controls, unauthorized data access, and lateral movement within the network. Critical sectors such as finance, healthcare, government, and telecommunications, which rely heavily on Fortinet products for perimeter and internal security, could face data breaches, service outages, and regulatory compliance violations (e.g., GDPR). The lack of user interaction and relatively low attack complexity increase the risk of exploitation in environments where internal threat actors or compromised credentials exist. Although no known exploits are currently reported in the wild, the presence of a publicly disclosed vulnerability with detailed technical information may prompt attackers to develop exploits, increasing the urgency for mitigation.

European organizations should prioritize the following mitigation steps: 1) Immediate assessment and inventory of all FortiProxy and FortiOS devices to identify affected versions. 2) Apply vendor-provided patches or updates as soon as they become available; if patches are not yet released, implement temporary mitigations such as disabling or restricting the Automation Stitch feature and webhook integrations to trusted sources only. 3) Enforce strict access controls and monitoring on accounts with privileges to configure or trigger Automation Stitch workflows to prevent unauthorized use. 4) Implement network segmentation to limit access to FortiProxy and FortiOS management interfaces, ensuring only authorized administrators can reach these systems. 5) Enable comprehensive logging and alerting on webhook activities and privilege escalations to detect suspicious behavior early. 6) Conduct internal audits and penetration testing focused on automation and webhook components to identify potential abuse paths. 7) Educate security teams about this vulnerability and update incident response plans to include scenarios involving privilege escalation via automation features. These measures go beyond generic advice by focusing on the specific Automation Stitch component and webhook mechanisms that are the root cause of this vulnerability.