CVE-2025-46752
📋 TL;DR
This vulnerability in Fortinet FortiDLP allows attackers to obtain sensitive information by reusing enrollment codes that were improperly logged. It affects FortiDLP versions 12.0.0 through 12.0.5, 11.5.1, 11.4.6, and 11.4.5. The issue involves insertion of sensitive data into log files, enabling information disclosure.
💻 Affected Systems
- Fortinet FortiDLP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain enrollment codes from logs and use them to enroll unauthorized devices, potentially gaining access to sensitive data protection systems and bypassing DLP controls.
Likely Case
Internal or external attackers with access to log files extract enrollment codes and register unauthorized devices, compromising DLP policy enforcement integrity.
If Mitigated
With proper log access controls and monitoring, attackers cannot access the sensitive log entries containing enrollment codes, preventing exploitation.
🎯 Exploit Status
Exploitation requires access to log files containing enrollment codes, then using those codes to register devices. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiDLP 12.0.6, 11.5.2, 11.4.7, or later versions
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-160
Restart Required: No
Instructions:
1. Download the patched version from Fortinet support portal. 2. Backup current configuration. 3. Install the update via FortiDLP web interface or CLI. 4. Verify installation and functionality.
🔧 Temporary Workarounds
Restrict Log File Access
allImplement strict access controls on FortiDLP log files to prevent unauthorized viewing of sensitive enrollment codes.
Configure file permissions to restrict log access to authorized administrators only
Monitor Log Access
allImplement monitoring and alerting for unauthorized access attempts to FortiDLP log files.
Set up SIEM alerts for log file access patterns
🧯 If You Can't Patch
- Implement strict access controls on FortiDLP log directories and files
- Regularly rotate enrollment codes and monitor for unauthorized device registrations
🔍 How to Verify
Check if Vulnerable:
Check FortiDLP version via web interface (System > Status) or CLI (get system status). Compare against affected versions.Check Version:
execute get system status | grep VersionVerify Fix Applied:
Verify version is 12.0.6+, 11.5.2+, or 11.4.7+. Test that enrollment codes are no longer logged in plaintext.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to log files containing 'enrollment' or 'code' patterns
- Multiple device enrollment attempts with same code
Network Indicators:
- Unusual device registration traffic to FortiDLP management interface
SIEM Query:
source="fortidlp" AND (event="log_access" OR event="enrollment") AND (user NOT IN authorized_admins)