CVE-2025-54822: 
FortiOS vulnerability analysis and mitigation

An improper authorization vulnerability (CVE-2025-54822) was discovered in Fortinet FortiOS and FortiProxy products. The vulnerability, identified as CWE-285, was initially disclosed on October 14, 2025. It affects FortiOS versions 7.4.0 through 7.4.1, versions before 7.2.9, and FortiProxy versions before 7.4.9. The vulnerability was internally discovered and reported by Kushal Shah from Fortinet's FortiGuard Labs (Fortinet Advisory, NVD).

The vulnerability is classified as an improper authorization issue that could allow an authenticated attacker to access static files of other Virtual Domains (VDOMs) through crafted HTTP or HTTPS requests. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Fortinet Advisory).

The vulnerability allows authenticated attackers to gain unauthorized access to static files belonging to other Virtual Domains (VDOMs), potentially leading to information disclosure. The impact is primarily focused on confidentiality with no direct effect on integrity or availability of the system (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. FortiOS users should upgrade to version 7.4.2 or above for the 7.4 branch, and version 7.2.9 or above for the 7.2 branch. FortiProxy users should upgrade to version 7.4.9 or above. Additionally, a virtual patch named 'FortiOS.Static.File.Access.Improper.Authentication' is available in FMWP db update 23.104 (Fortinet Advisory).