CVE-2025-54822: 
FortiOS vulnerability analysis and mitigation

An improper authorization vulnerability (CVE-2025-54822) was discovered in Fortinet FortiOS and FortiProxy products. The vulnerability was identified on October 14, 2025, affecting the GUI component with a CVSSv3 score of 4.2 (Medium severity). The affected versions include FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.11, as well as FortiProxy versions 7.4.0 through 7.4.8, and all versions of 7.2, 7.0, and 2.0 (Fortinet Advisory, NVD).

The vulnerability [CWE-285] allows an authenticated attacker to access static files of other Virtual Domains (VDOMs) through crafted HTTP or HTTPS requests. The issue has been assigned a medium severity rating with a CVSS v3.1 base score of 4.3, indicating moderate potential impact with relatively low attack complexity but requiring authentication (Fortinet Advisory).

The primary impact of this vulnerability is improper access control, potentially allowing authenticated attackers to access static files belonging to other VDOMs. This could lead to unauthorized access to sensitive information stored in these files (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiOS version 7.4.2 or above for 7.4.x installations, 7.2.9 or above for 7.2.x installations. FortiProxy users should upgrade to version 7.4.9 or above. For other affected versions, migration to a fixed release is recommended. Additionally, a virtual patch named 'FortiOS.Static.File.Access.Improper.Authentication' is available in FMWP db update 23.104 (Fortinet Advisory).