CVE-2025-54658
📋 TL;DR
This path traversal vulnerability in Fortinet FortiDLP Agent's Outlookproxy plugin allows authenticated attackers on affected MacOS systems to escalate privileges to root by sending crafted requests to a local listening port. It affects multiple versions of FortiDLP Agent across various FortiOS releases. Attackers must already have local authenticated access to exploit this vulnerability.
💻 Affected Systems
- Fortinet FortiDLP Agent Outlookproxy plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, enabling installation of persistent malware, data exfiltration, and lateral movement across the network.
Likely Case
Privilege escalation from a standard user account to root, allowing attackers to bypass security controls, access sensitive files, and maintain persistence.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced, though local privilege escalation remains possible.
🎯 Exploit Status
Exploitation requires authenticated access to the local system. The vulnerability is in the Outlookproxy plugin component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Fortinet advisory FG-IR-25-628 for specific patched versions
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-628
Restart Required: Yes
Instructions:
1. Review Fortinet advisory FG-IR-25-628. 2. Upgrade FortiDLP Agent to patched version. 3. Restart affected systems. 4. Verify patch installation.
🔧 Temporary Workarounds
Disable Outlookproxy plugin
macosTemporarily disable the vulnerable Outlookproxy plugin component
Consult Fortinet documentation for plugin disable procedures
Restrict local port access
macosImplement firewall rules to restrict access to the local listening port used by Outlookproxy
sudo pfctl -e
Add appropriate pf rules to restrict localhost:port access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Enforce least privilege principles and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check FortiDLP Agent version and compare against affected versions list. Verify Outlookproxy plugin is enabled.Check Version:
Check FortiDLP Agent version through FortiManager or local agent interfaceVerify Fix Applied:
Confirm FortiDLP Agent version is updated to patched version per Fortinet advisory. Verify no privilege escalation attempts succeed.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation with root privileges
- Access to restricted directories by non-root users
- Failed privilege escalation attempts
Network Indicators:
- Unusual traffic to local listening ports
- Multiple connection attempts to Outlookproxy service
SIEM Query:
Process creation where parent_process contains 'outlookproxy' and user changes from non-root to root