CVE-2025-47890: 
FortiOS vulnerability analysis and mitigation

CVE-2025-47890 is a URL Redirection to Untrusted Site vulnerability discovered in multiple Fortinet products, including FortiOS, FortiProxy, and FortiSASE. The vulnerability was disclosed on October 14, 2025, and is classified as a medium severity issue with a CVSSv3 score of 4.5. The vulnerability affects multiple versions of these products, including FortiOS versions 6.4 through 7.6.3, FortiProxy versions 7.0 through 7.6.3, and FortiSASE version 25.2 (Fortinet Advisory, NVD).

The vulnerability is categorized under CWE-601 (URL Redirection to Untrusted Site) and involves improper neutralization of input during web page generation. It specifically affects the Web Filter warning page functionality in the affected products. The vulnerability has been assigned a CVSS v3.1 base score of 2.6 (Low) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating adjacent network attack vector, high attack complexity, no privileges required, and user interaction required (Fortinet Advisory).

When exploited, this vulnerability allows an unauthenticated attacker to perform an open redirect attack via crafted HTTP requests. The impact is primarily focused on integrity with low severity, as indicated by the CVSS metrics, with no direct impact on confidentiality or availability (Fortinet Advisory).

Fortinet has released patches for the affected products. Users of FortiOS 7.6 should upgrade to version 7.6.4 or above, FortiOS 7.4 users should upgrade to 7.4.9 or above, and users of other affected versions should migrate to a fixed release. FortiSASE users should note that the issue has been remediated in version 25.3.b with no action required from customers. Fortinet provides an upgrade tool at their documentation site to assist with the upgrade process (Fortinet Advisory).