Key Information Vulnerability Overview Vulnerability Type: Missing Critical Function Authentication (CWE-306) Affected Products: FortiOS, FortiProxy, FortiSwitchManager Condition: Configured to use a remote TACACS+ server for authentication, and the server is configured to use ASCII authentication Risk: Attackers can bypass authentication and access the device using a known administrator account Affected Versions and Remediation Bypass Method Use alternative authentication methods such as PAP, MSCHAP, or CHAP Timeline 2025-05-13: Initial release 2025-05-28: Clarification that is not affected, as it does not use ASCII Other CVE ID: CVE-2025-22252 CVSSv3 Score: 9.0 Severity: Critical