CVE-2025-54971
📋 TL;DR
This vulnerability allows read-only administrators in Fortinet FortiADC to access external resource passwords through system logs. It affects multiple FortiADC versions from 6.2 through 7.4.0. The exposure occurs when passwords are logged in plaintext or insufficiently protected formats.
💻 Affected Systems
- Fortinet FortiADC
📦 What is this software?
Fortiadc by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Read-only admin escalates privileges by obtaining credentials for external systems, potentially compromising connected infrastructure or using credentials for lateral movement.
Likely Case
Internal read-only admin accesses sensitive passwords for monitoring systems, databases, or external services, violating least privilege and potentially enabling further unauthorized access.
If Mitigated
With proper access controls and log monitoring, impact is limited to authorized personnel viewing sensitive data they shouldn't have access to, but no system compromise occurs.
🎯 Exploit Status
Exploitation requires read-only admin access and access to system logs where passwords are exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Fortinet advisory for specific patched versions
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-686
Restart Required: Yes
Instructions:
1. Review Fortinet advisory FG-IR-25-686. 2. Upgrade to patched version as specified by Fortinet. 3. Restart FortiADC services. 4. Verify logs no longer contain sensitive passwords.
🔧 Temporary Workarounds
Restrict log access
allLimit read-only admin access to logs containing sensitive information
config system admin
edit [admin-username]
set accprofile "restricted_profile"
end
Disable sensitive logging
allConfigure logging to exclude sensitive password information
config log syslogd setting
set exclude-sensitive enable
end
🧯 If You Can't Patch
- Implement strict access controls to limit which administrators can view system logs
- Regularly audit log access and monitor for unusual log viewing patterns
🔍 How to Verify
Check if Vulnerable:
Check if read-only admin can view logs containing password strings or external resource credentialsCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify that logs no longer display plaintext passwords for external resources when viewed by read-only admin📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to log files by read-only admins
- Log entries containing password strings or credential patterns
Network Indicators:
- Unusual log access patterns from read-only admin accounts
SIEM Query:
source="fortiadc" AND (event_type="log_access" OR message="*password*") AND user_role="read-only"