CVE-2025-55717
Fortimail Analyse et atténuation des vulnérabilités

Aperçu

CVE-2025-55717 is a cleartext storage of sensitive information vulnerability (CWE-312) affecting Fortinet FortiMail, FortiRecorder, and FortiVoice products. Sensitive information — specifically user secrets — is stored in plaintext within debug logs, allowing an authenticated malicious administrator to retrieve them via CLI commands. Affected versions include FortiMail 7.0.0–7.0.8, 7.2.0–7.2.7, 7.4.0–7.4.4, and 7.6.0–7.6.2; FortiRecorder 6.4 (all versions), 7.0 (all versions), and 7.2.0–7.2.3; and FortiVoice 7.0.0–7.0.6 and 7.2.0. The vulnerability was discovered through an independent audit commissioned by Fortinet and publicly disclosed on March 10, 2026. It carries a CVSSv3.1 base score of 3.8–4.0 (Low/Medium) due to the high privilege requirement and local attack vector (FortiGuard PSIRT, Red Hat CVE).

Détails techniques

The root cause is CWE-312 (Cleartext Storage of Sensitive Information): user secrets and passwords are written in plaintext to debug logs rather than being masked or encrypted. An authenticated administrator can access these logs via CLI commands on the affected device, exposing credentials that should be protected at rest. Exploitation requires local access to the device and an active administrator session, making the attack complexity high and limiting practical exploitability. No external network access or special protocol manipulation is required — the attacker simply reads debug log content through standard CLI interfaces (FortiGuard PSIRT).

Impact

Successful exploitation results in a high-confidentiality-impact breach: an authenticated administrator can extract user secrets and plaintext credentials stored in debug logs, potentially compromising user authentication data across the affected system. There is no integrity or availability impact. While the scope is limited to the local device and requires elevated privileges, exposed credentials could be leveraged for lateral movement or privilege escalation within the broader environment if reused elsewhere (FortiGuard PSIRT, Red Hat CVE).

Étapes d’exploitation

  1. Gain administrator access: Obtain valid administrator credentials for the targeted FortiMail, FortiRecorder, or FortiVoice device — either through credential theft, insider access, or social engineering.
  2. Log in to the device CLI: Authenticate to the device's command-line interface using the administrator account.
  3. Access debug logs: Execute CLI commands to retrieve or display debug log files where sensitive information is stored in cleartext (e.g., commands that read or dump log content).
  4. Extract user secrets: Parse the plaintext debug log output to identify and collect user passwords or other secrets stored without encryption.
  5. Leverage extracted credentials: Use the obtained credentials for further access to the device, related systems, or other services where credentials may be reused (FortiGuard PSIRT).

Indicateurs de compromis

  • Logs: Unusual or repeated CLI commands accessing debug log files by administrator accounts; audit log entries showing bulk log reads or exports outside of normal maintenance windows.
  • Process/CLI Activity: Administrator sessions executing log-dump or debug-log-read commands at unusual times or from unfamiliar source IPs.
  • Network: Administrative CLI access originating from unexpected IP addresses or geographic locations, particularly if multi-factor authentication is not enforced.

Atténuation et solutions de contournement

Fortinet has released patched versions for all affected products. Upgrade to the following fixed releases: FortiMail 7.6.3 or later, 7.4.5 or later, 7.2.8 or later, or 7.0.9 or later (depending on branch); FortiRecorder 7.2.4 or later (FortiRecorder 6.4 and 7.0 users must migrate to a fixed release branch); FortiVoice 7.2.1 or later, or 7.0.7 or later. Patches were released on March 12, 2026. As interim mitigations, restrict administrative CLI access to trusted personnel only, implement multi-factor authentication for administrator accounts, and audit systems for any unauthorized administrative access. Monitor administrative CLI command usage for anomalous log-access activity (FortiGuard PSIRT).

Réactions de la communauté

The vulnerability was discovered through an internal audit commissioned by Fortinet, indicating proactive security review practices. Community and media attention has been limited given the low CVSS score and high exploitation prerequisites. Automated CVE tracking services such as VulDB and radar.offseq.com indexed the vulnerability shortly after disclosure, and it was noted on social platforms via CVEnew. No significant researcher commentary or major media coverage has been identified (FortiGuard PSIRT).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Fortimail Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2025-53681HIGH7.2
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NonOuiMay 12, 2026
CVE-2024-40588MEDIUM4.4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortindr
NonOuiAug 12, 2025
CVE-2025-54972MEDIUM4.3
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NonOuiNov 18, 2025
CVE-2024-47569MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiweb
NonOuiOct 14, 2025
CVE-2025-55717MEDIUM4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NonOuiMar 10, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités