CVE-2025-47855 Overview
CVE-2025-47855 is an information disclosure vulnerability affecting Fortinet FortiFone devices. The flaw is classified as Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]. An unauthenticated remote attacker can retrieve the full device configuration by sending crafted HTTP or HTTPS requests to an affected FortiFone unit.
The issue affects FortiFone versions 7.0.0 through 7.0.1 and FortiFone versions 3.0.13 through 3.0.23. Because exposed configuration data may contain credentials, network topology, and provisioning secrets, attackers can use the disclosed information to pivot deeper into the targeted environment.
Critical Impact
An unauthenticated network attacker can obtain the complete FortiFone device configuration over HTTP or HTTPS, exposing credentials and infrastructure details that enable follow-on compromise.
Affected Products
- Fortinet FortiFone 7.0.0 through 7.0.1
- Fortinet FortiFone 3.0.13 through 3.0.23
- VoIP endpoints managed via the FortiFone web interface
Discovery Timeline
- 2026-01-13 - CVE-2025-47855 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-47855
Vulnerability Analysis
The vulnerability resides in the HTTP and HTTPS management interfaces exposed by FortiFone devices. Affected firmware does not enforce authentication on at least one endpoint that returns the device configuration. A remote attacker can issue crafted HTTP or HTTPS requests to retrieve the configuration file without credentials or user interaction.
FortiFone configuration data typically includes SIP account credentials, provisioning server URLs, administrative passwords, and network parameters. Attackers who obtain this data can impersonate the phone, intercept calls, or extract credentials that grant access to upstream PBX and provisioning infrastructure.
The Exploit Prediction Scoring System (EPSS) tracks this issue in the upper percentile range, indicating elevated probability of exploitation activity relative to the broader CVE population. No public proof-of-concept exploit and no confirmed in-the-wild exploitation are listed at publication time.
Root Cause
The root cause is missing or improperly enforced access control on a configuration-serving HTTP/HTTPS endpoint within the FortiFone management interface. The endpoint returns sensitive data without verifying the requester's identity, satisfying the conditions for CWE-200.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network reachability to a FortiFone device sends crafted HTTP or HTTPS requests to the affected endpoint. The device responds with configuration data, completing the disclosure with a single request flow.
FortiFone devices reachable from untrusted segments, branch offices, or the public internet face the highest exposure. Internal attackers who already have a foothold can use the same technique to harvest credentials and accelerate lateral movement.
Detection Methods for CVE-2025-47855
Indicators of Compromise
- Unexpected HTTP or HTTPS GET requests to FortiFone management endpoints from non-administrative source addresses.
- Outbound transfers of configuration-sized responses from FortiFone devices to external or unusual internal hosts.
- Authentication anomalies on SIP, PBX, or provisioning servers that share credentials with FortiFone devices.
Detection Strategies
- Inspect web server and proxy logs for unauthenticated requests targeting FortiFone configuration paths on ports 80 and 443.
- Correlate FortiFone access logs with directory of authorized administrators and management workstations.
- Hunt for repeated configuration-fetch patterns from a single source, indicating scanning or mass extraction.
Monitoring Recommendations
- Alert on any HTTP or HTTPS access to FortiFone management interfaces originating outside the management VLAN.
- Track SIP credential reuse and unusual registration sources at the PBX to catch downstream abuse.
- Forward FortiFone and surrounding network telemetry into a centralized SIEM or data lake for retrospective hunting against the published indicators.
How to Mitigate CVE-2025-47855
Immediate Actions Required
- Upgrade FortiFone devices to a fixed release as identified in the Fortinet Security Advisory FG-IR-25-260.
- Restrict HTTP and HTTPS access to FortiFone management interfaces to dedicated administrative networks only.
- Rotate any SIP, administrative, and provisioning credentials that may have been stored in configurations on affected devices.
Patch Information
Fortinet has published guidance for CVE-2025-47855 in advisory FG-IR-25-260. Administrators should follow the vendor advisory for the specific fixed firmware versions corresponding to FortiFone 7.0.x and 3.0.x branches. Refer to the Fortinet Security Advisory for authoritative version mapping and upgrade instructions.
Workarounds
- Place FortiFone devices behind a firewall that blocks inbound HTTP and HTTPS from untrusted segments.
- Disable remote management interfaces on devices that do not require web-based administration.
- Enforce network segmentation so that FortiFone endpoints cannot be reached directly from user or guest networks.
# Example ACL restricting FortiFone web management to a single admin subnet
access-list FORTIFONE_MGMT permit tcp 10.10.50.0 0.0.0.255 host <fortifone-ip> eq 443
access-list FORTIFONE_MGMT permit tcp 10.10.50.0 0.0.0.255 host <fortifone-ip> eq 80
access-list FORTIFONE_MGMT deny tcp any host <fortifone-ip> eq 443
access-list FORTIFONE_MGMT deny tcp any host <fortifone-ip> eq 80
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
