CVE-2025-25253 is a vulnerability rooted in improper validation of certificates when there is a host mismatch in Fortinet's FortiProxy and FortiOS ZTNA proxy components, as well as FortiPAM version 1.4.1. The flaw is categorized under CWE-297, indicating that the software fails to properly verify that the certificate presented by a server matches the expected hostname. This weakness enables an unauthenticated attacker who can position themselves as a man-in-the-middle (MitM) on the network to intercept, read, and modify traffic between clients and the ZTNA proxy. The affected Fortinet products include FortiProxy versions 7.6.1 and below, 7.4.8 and below, 7.2 all versions, 7.0 all versions, and FortiOS versions 7.6.2 and below, 7.4.8 and below, 7.2 all versions, and 7.0 all versions, specifically the ZTNA proxy functionality. FortiPAM version 1.4.1 is also impacted. The vulnerability does not require authentication or user interaction but does require the attacker to have network access to intercept traffic. The CVSS v3.1 base score is 6.8, reflecting medium severity, with high impact on confidentiality, integrity, and availability, but with higher attack complexity and network access requirements. No public exploits have been reported yet, but the potential for interception and tampering of sensitive communications in Zero Trust Network Access environments poses a significant risk.

For European organizations, this vulnerability threatens the confidentiality and integrity of communications routed through Fortinet's ZTNA proxies and FortiPAM, which are often used to secure privileged access and enforce zero trust policies. Successful exploitation could lead to unauthorized data disclosure, manipulation of access controls, and disruption of critical authentication and access management processes. This could compromise sensitive corporate data, intellectual property, and user credentials, potentially facilitating further lateral movement or escalation within networks. Industries such as finance, healthcare, government, and critical infrastructure that rely heavily on Fortinet solutions for secure remote access and privileged access management are particularly at risk. The disruption or compromise of these security layers could have cascading effects on operational continuity and regulatory compliance, especially under stringent European data protection laws like GDPR.

Organizations should immediately inventory their Fortinet FortiPAM, FortiProxy, and FortiOS ZTNA proxy deployments to identify affected versions. Applying vendor patches or updates as soon as they become available is critical. In the absence of patches, network-level mitigations such as enforcing strict TLS inspection policies, deploying network segmentation to limit MitM attack surfaces, and using endpoint security solutions to detect anomalous traffic patterns should be implemented. Additionally, organizations should monitor network traffic for unusual certificate warnings or connection anomalies indicative of MitM attempts. Employing certificate pinning or strict hostname verification where possible can reduce exposure. Regularly reviewing and updating zero trust policies and access controls to minimize unnecessary exposure of ZTNA proxies is also recommended. Finally, educating network administrators about this vulnerability and encouraging vigilance in monitoring Fortinet device logs can help in early detection and response.