CVE-2025-54821: 
FortiOS vulnerability analysis and mitigation

An Improper Privilege Management vulnerability (CVE-2025-54821) was discovered in Fortinet products including FortiOS, FortiPAM, and FortiProxy. The vulnerability was disclosed on November 18, 2025, affecting multiple versions of these products including FortiOS 7.6.0 through 7.6.3, FortiOS 7.4/7.2/7.0/6.4 all versions, FortiPAM 1.6.0 and earlier versions, and FortiProxy 7.6.0 through 7.6.3 and earlier versions (NVD, Fortinet PSIRT).

The vulnerability is classified as an Improper Privilege Management issue (CWE-269) that could allow an authenticated administrator to bypass the trusted host policy through crafted CLI commands. The vulnerability has been assigned a CVSS v3.1 Base Score of 1.9 LOW with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N (Fortinet PSIRT).

The vulnerability could allow an authenticated administrator to bypass the trusted host policy, potentially leading to escalation of privilege in the affected systems (Fortinet PSIRT).

Fortinet has released fixes for the affected products. Users are advised to upgrade FortiOS 7.6.x to version 7.6.4 or above, FortiPAM 1.6.0 to version 1.6.1 or above, and FortiProxy 7.6.x to version 7.6.4 or above. For other affected versions, users should migrate to a fixed release. Fortinet provides an upgrade tool to follow the recommended upgrade path (Fortinet PSIRT).

The vulnerability was responsibly disclosed by Nathan Jones from Orange Cyberdefense UK (Fortinet PSIRT).