Trusted hosts bypass via SSH

Low RiskCVSS 1.8FG-IR-25-545Nov 18, 2025

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in Fortinet FortiOS, FortiPAM, and FortiSASE allows an attacker with high-privilege administrator credentials and local CLI access to bypass SSH trusted host restrictions. The trusted host bypass could allow circumvention of SSH key or IP-based trust rules configured on the device. The vulnerability affects multiple product versions: FortiOS 6.4, 7.0, 7.2, 7.4.0-7.4.11, and 7.6.0-7.6.3; FortiPAM 1.4, 1.5, and 1.6.0; and FortiSASE 25.2.91.

What this means

What could happen

An administrator or high-privileged user with local access to a Fortinet device could bypass SSH trusted host restrictions, potentially allowing unauthorized remote access to administrative interfaces if the device is configured with specific trust rules.

Who's at risk

Fortinet firewall, PAM (privileged access management), and cloud security appliance administrators managing FortiOS, FortiPAM, and FortiSASE deployments should be aware of this SSH trusted host bypass. This affects organizations using these devices for perimeter security, network access control, or privileged credential management.

How it could be exploited

An attacker with high-privilege administrator credentials and local command-line access could manipulate SSH trusted host configurations to bypass intended access restrictions. This allows circumvention of SSH key or IP-based trust rules that would normally block certain connections.

Prerequisites

High-privilege administrator account credentials
Local CLI access to the Fortinet device
Device configured with SSH trusted host restrictions or trust rules
High system privilege level required

High privilege level required for exploitationLow CVSS score (1.8)Requires local CLI accessAffects SSH authentication trust rules

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

FortiOS7.6.0 - 7.6.37.6.4+

FortiOS7.4.0 - 7.4.117.4.12+

FortiOS7.2 all versionsMigrate to fixed release

FortiOS7.0 all versionsMigrate to fixed release

FortiOS6.4 all versionsMigrate to fixed release

FortiPAM1.6.01.6.1+

FortiPAM1.5 all versionsMigrate to fixed release

FortiPAM1.4 all versions and 4 moreMigrate to fixed release

Remediation & Mitigation

0/8

Do now

0/1

HARDENINGRestrict SSH administrative access to trusted management networks only using firewall rules or network segmentation

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS 7.6.x devices to version 7.6.4 or later

HOTFIXUpdate FortiOS 7.4.x devices to version 7.4.12 or later

HOTFIXUpgrade FortiOS 7.2, 7.0, and 6.4 devices to a currently supported fixed release (7.6.4+ or 7.4.12+)

FortiPAM

HOTFIXUpdate FortiPAM 1.6.x devices to version 1.6.1 or later

HOTFIXUpgrade FortiPAM 1.5 and 1.4 devices to version 1.6.1 or later

FortiSASE

HOTFIXUpgrade FortiSASE 25.2.91 to a newer fixed release version

Long-term hardening

0/1

HARDENINGEnforce strong password policies and multi-factor authentication (MFA) for all administrative accounts to limit exposure from compromised credentials

CVEs (1)

CVE-2025-54821

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/74c5ddda-07b5-4c80-9fad-779909798d99

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.