CVE-2025-53951
📋 TL;DR
This path traversal vulnerability in Fortinet FortiDLP Agent's Outlookproxy plugin allows authenticated attackers to escalate privileges to LocalService by sending crafted requests to a local listening port. Affected users include those running vulnerable versions of FortiDLP Agent on Windows systems with the Outlookproxy plugin enabled.
💻 Affected Systems
- Fortinet FortiDLP Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains LocalService privileges, potentially allowing them to access sensitive system resources, modify configurations, or perform further privilege escalation.
Likely Case
An authenticated user with local access escalates to LocalService to bypass security controls or access protected files.
If Mitigated
With proper network segmentation and least privilege principles, impact is limited to the local system with minimal lateral movement potential.
🎯 Exploit Status
Requires authenticated access to the Windows system and knowledge of the local listening port used by the Outlookproxy plugin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Fortinet advisory for specific patched versions per release train
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-628
Restart Required: No
Instructions:
1. Review Fortinet advisory FG-IR-25-628. 2. Identify affected FortiDLP Agent versions in your environment. 3. Upgrade to patched versions as specified in the advisory. 4. Verify the Outlookproxy plugin is updated.
🔧 Temporary Workarounds
Disable Outlookproxy Plugin
WindowsTemporarily disable the vulnerable Outlookproxy plugin if immediate patching isn't possible
Consult FortiDLP Agent documentation for plugin management commands
Restrict Local Port Access
WindowsUse Windows Firewall to restrict access to the local listening port used by Outlookproxy
netsh advfirewall firewall add rule name="Block FortiDLP Outlookproxy" dir=in action=block protocol=TCP localport=[PORT_NUMBER]
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Apply principle of least privilege to limit authenticated user access to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check FortiDLP Agent version and verify if Outlookproxy plugin is enabled on affected Windows versionsCheck Version:
Check FortiDLP Agent GUI or consult Fortinet documentation for version checking commandsVerify Fix Applied:
Verify FortiDLP Agent has been updated to a patched version and confirm Outlookproxy plugin version📡 Detection & Monitoring
Log Indicators:
- Unusual process creation by LocalService account
- Suspicious network connections to local Outlookproxy port
- Failed privilege escalation attempts in Windows security logs
Network Indicators:
- Unexpected traffic to the local Outlookproxy port from non-standard processes
- Multiple rapid connections to the local service port
SIEM Query:
Example: (process_name:"outlookproxy.exe" AND event_type:"process_creation") OR (destination_port:[OUTLOOKPROXY_PORT] AND source_ip:local_subnet)