CVE-2025-59669: 
Fortinet FortiWeb vulnerability analysis and mitigation

A use of hard-coded credentials vulnerability (CVE-2025-59669) was discovered in Fortinet FortiWeb's internal redis services. The vulnerability affects FortiWeb versions 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, and FortiWeb 7.0 all versions. This vulnerability was discovered and reported by Victor Pasman under responsible disclosure, and was publicly disclosed on November 18, 2025 (Fortinet PSIRT).

The vulnerability is classified as CWE-798 (Use of Hard-coded Credentials) and received a CVSS v3.1 base score of 4.8 MEDIUM with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:R. The vulnerability specifically affects the internal redis services in FortiWeb, requiring local access and low privileges for exploitation (NVD, Fortinet PSIRT).

The vulnerability may allow an authenticated attacker with shell access to the device to connect to redis service and access its data. This results in improper access control to the system's redis services, potentially compromising the confidentiality and integrity of the stored data (NVD).

Fortinet has released patches to address this vulnerability. Users of FortiWeb 7.6.0 should upgrade to version 7.6.1 or above. For FortiWeb versions 7.4, 7.2, and 7.0, users should migrate to a fixed release. FortiWeb 8.0 is not affected by this vulnerability (Fortinet PSIRT).