CVE-2025-25253 is a vulnerability classified under CWE-297 (Improper Validation of Certificate with Host Mismatch) affecting Fortinet's FortiProxy and FortiOS ZTNA proxy products. The flaw exists because the affected versions do not properly validate the hostname in TLS certificates during connection establishment. This improper validation allows an unauthenticated attacker positioned in a man-in-the-middle role to intercept, decrypt, and potentially modify traffic between clients and the ZTNA proxy. The vulnerability affects FortiProxy versions 7.6.1 and below, 7.4.8 and below, 7.2 all versions, 7.0 all versions, as well as FortiOS versions 7.6.2 and below, 7.4.8 and below, 7.2 all versions, and 7.0 all versions. The CVSS v3.1 base score is 6.8, indicating medium severity, with attack vector as adjacent network, high attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. The vulnerability allows attackers to bypass TLS protections by exploiting the certificate hostname mismatch validation flaw, enabling interception and tampering of sensitive ZTNA proxy traffic. No public exploits or active exploitation have been reported yet, but the potential impact on secure remote access and zero-trust network enforcement is significant. Fortinet has not yet published patches or mitigation details, so organizations must monitor vendor advisories closely.

The vulnerability threatens the confidentiality, integrity, and availability of communications routed through Fortinet FortiProxy and FortiOS ZTNA proxy components. European organizations relying on these products for secure remote access and zero-trust network access enforcement could have sensitive data intercepted or altered by attackers capable of man-in-the-middle attacks. This could lead to exposure of credentials, internal network information, or manipulation of traffic to inject malicious payloads or disrupt services. Critical sectors such as finance, government, healthcare, and energy that depend on Fortinet solutions for secure connectivity are at heightened risk. The medium severity rating reflects the requirement for attacker proximity to the network (adjacent network) and high attack complexity, but the lack of authentication or user interaction needed increases the threat surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation. The impact on availability could also affect business continuity if attackers disrupt ZTNA proxy operations.

1. Immediately monitor Fortinet advisories for official patches addressing CVE-2025-25253 and apply them as soon as they become available. 2. Until patches are released, restrict network access to FortiProxy and FortiOS ZTNA proxy management and data plane interfaces to trusted, authenticated networks only, minimizing exposure to adjacent network attackers. 3. Deploy network segmentation and micro-segmentation to limit the ability of attackers to position themselves as man-in-the-middle within the network. 4. Use network intrusion detection and prevention systems (IDS/IPS) to detect anomalous TLS handshake behaviors or certificate mismatches. 5. Enforce strict certificate pinning and validation policies on client devices where possible to detect and block invalid certificates. 6. Conduct regular security audits and penetration tests focusing on TLS and ZTNA proxy configurations to identify potential weaknesses. 7. Educate network administrators and security teams about the vulnerability and signs of exploitation attempts. 8. Consider implementing additional endpoint security controls to detect lateral movement or unusual network activity that may indicate exploitation attempts.