CVE-2025-61713
📋 TL;DR
This vulnerability allows authenticated administrators with CLI read-write privileges in FortiPAM to obtain other administrators' credentials through diagnose commands. It affects all versions of FortiPAM from 1.0 through 1.6.0. The issue involves cleartext storage of sensitive information in memory (CWE-316).
💻 Affected Systems
- Fortinet FortiPAM
📦 What is this software?
Fortipam by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could obtain all administrator credentials, leading to complete system compromise, privilege escalation, and potential lateral movement to other systems.
Likely Case
Malicious insider or compromised admin account could harvest credentials of other administrators, enabling persistent access and privilege escalation within the FortiPAM environment.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure of administrators who have logged in recently, requiring immediate credential rotation.
🎯 Exploit Status
Exploitation requires authenticated admin access to CLI. The vulnerability is in diagnose commands that expose credentials stored in memory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiPAM 1.6.1 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-789
Restart Required: Yes
Instructions:
1. Download FortiPAM 1.6.1 or later from Fortinet support portal. 2. Backup current configuration. 3. Upload and install the new firmware via GUI or CLI. 4. Reboot the appliance after installation completes.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit CLI access to only trusted administrators and implement strict access controls.
config system admin
edit <admin_name>
set accprofile "prof_admin"
set vdom "root"
next
end
Monitor Admin Activity
allEnable detailed logging of administrator CLI commands and monitor for suspicious diagnose command usage.
config log eventfilter
set cli enable
end
config log syslogd setting
set status enable
set server "<syslog_server>"
end
🧯 If You Can't Patch
- Implement strict principle of least privilege for admin accounts and regularly rotate administrator credentials.
- Enable comprehensive logging and monitoring of all CLI activities, with alerts for unusual diagnose command usage.
🔍 How to Verify
Check if Vulnerable:
Check FortiPAM version via CLI: 'get system status' or GUI: System > Dashboard. If version is 1.6.0 or earlier (any 1.x version), the system is vulnerable.Check Version:
get system status | grep VersionVerify Fix Applied:
After patching, verify version is 1.6.1 or later using 'get system status' command. Test that diagnose commands no longer expose credential information.📡 Detection & Monitoring
Log Indicators:
- Unusual diagnose command execution by administrators
- Multiple failed login attempts followed by successful admin login
- CLI commands accessing memory or credential-related functions
Network Indicators:
- Unusual SSH/CLI connections to FortiPAM management interface
- Traffic patterns indicating credential harvesting activities
SIEM Query:
source="fortipam" AND (event_type="cli_command" AND command="diagnose*") | stats count by user, command