CVE-2025-47855
📋 TL;DR
An unauthenticated attacker can obtain device configuration files from vulnerable FortiFone systems by sending crafted HTTP/HTTPS requests. This affects FortiFone 7.0.0 through 7.0.1 and FortiFone 3.0.13 through 3.0.23. The exposed configuration may contain sensitive information like credentials, network details, and system settings.
💻 Affected Systems
- Fortinet FortiFone
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain full device configuration including administrative credentials, VPN keys, network topology, and other sensitive data, leading to complete system compromise and lateral movement within the network.
Likely Case
Attackers harvest configuration files containing passwords, API keys, and network information to facilitate further attacks or data exfiltration.
If Mitigated
With proper network segmentation and access controls, attackers can only access configuration but cannot pivot to other systems.
🎯 Exploit Status
Exploitation requires only HTTP/HTTPS access to the device and knowledge of the specific crafted request format.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiFone 7.0.2 and above, FortiFone 3.0.24 and above
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-260
Restart Required: Yes
Instructions:
1. Download the latest firmware from Fortinet support portal. 2. Backup current configuration. 3. Upload and install the firmware update. 4. Reboot the device. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict HTTP/HTTPS access to FortiFone devices to trusted IP addresses only using firewall rules.
Disable Unnecessary Services
allDisable HTTP/HTTPS management interfaces if not required for operations.
🧯 If You Can't Patch
- Isolate vulnerable devices in separate network segments with strict access controls
- Implement network monitoring for unusual HTTP/HTTPS requests to FortiFone devices
🔍 How to Verify
Check if Vulnerable:
Check FortiFone firmware version via web interface or CLI. If version is between 7.0.0-7.0.1 or 3.0.13-3.0.23, the device is vulnerable.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is 7.0.2+ or 3.0.24+ and test that configuration files cannot be accessed via unauthenticated HTTP/HTTPS requests.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP/HTTPS requests to configuration endpoints
- Multiple failed authentication attempts followed by successful configuration access
Network Indicators:
- Unusual traffic patterns to FortiFone HTTP/HTTPS ports from untrusted sources
- Configuration file downloads via HTTP/HTTPS
SIEM Query:
source="fortifone" AND (url="*config*" OR url="*backup*") AND status=200 AND user="-"