CVE-2025-55717 Overview
CVE-2025-55717 is a cleartext storage of sensitive information vulnerability [CWE-312] affecting multiple Fortinet products, including FortiMail, FortiRecorder, and FortiVoice. An authenticated administrator with command-line interface (CLI) access can retrieve other users' secrets stored in cleartext on affected devices. The flaw requires both high privileges and user interaction, which limits practical exploitability.
Critical Impact
An authenticated malicious administrator can obtain stored user secrets via CLI commands across affected FortiMail, FortiRecorder, and FortiVoice versions.
Affected Products
- Fortinet FortiMail 7.0.0 through 7.0.8, 7.2.0 through 7.2.7, 7.4.0 through 7.4.4, and 7.6.0 through 7.6.2
- Fortinet FortiRecorder 6.4 (all versions), 7.0 (all versions), and 7.2.0 through 7.2.3
- Fortinet FortiVoice 7.0.0 through 7.0.6 and 7.2.0
Discovery Timeline
- 2026-03-10 - CVE-2025-55717 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2025-55717
Vulnerability Analysis
The vulnerability resides in how affected Fortinet products store sensitive user data. Secrets are written to storage without encryption or sufficient access controls. An authenticated administrator can issue CLI commands that disclose these cleartext secrets belonging to other users on the device.
The issue is classified under [CWE-312] Cleartext Storage of Sensitive Information. Confidentiality impact is high, but the vulnerability does not affect integrity or availability of the targeted system.
Exploitation is constrained by preconditions outside the attacker's control. The attacker must already hold administrative credentials, must access the device locally through the CLI, and must satisfy user interaction requirements. These conditions narrow the realistic threat to insider abuse or post-compromise lateral activity.
Root Cause
The root cause is the absence of encryption-at-rest for user secrets stored within FortiMail, FortiRecorder, and FortiVoice. Because sensitive values are persisted as plaintext, any administrator with CLI command access can read them directly. The product design did not apply cryptographic protection or scoped access controls to prevent administrators from viewing secrets belonging to other accounts.
Attack Vector
The attack vector is local and requires high privileges with user interaction. A malicious administrator authenticates to a vulnerable FortiMail, FortiRecorder, or FortiVoice instance and runs CLI commands that reveal stored secrets in plaintext. The harvested credentials can then be used for follow-on actions such as impersonating users, accessing third-party services, or pivoting within the environment.
No public proof-of-concept is available, and the EPSS probability of exploitation remains very low.
Detection Methods for CVE-2025-55717
Indicators of Compromise
- CLI sessions from administrator accounts issuing commands that read or export user secret material outside of routine configuration tasks.
- Unexpected administrator logins to FortiMail, FortiRecorder, or FortiVoice management interfaces from atypical source addresses or at unusual hours.
- Audit log entries showing repeated configuration export or show style commands targeting credential-bearing objects.
Detection Strategies
- Enable comprehensive CLI command auditing on affected Fortinet devices and forward logs to a centralized SIEM for review.
- Baseline normal administrator behavior and alert on deviations such as bulk reads of user-related configuration sections.
- Correlate administrator CLI activity with privileged access management (PAM) session approvals to identify out-of-band access.
Monitoring Recommendations
- Monitor authentication events on FortiMail, FortiRecorder, and FortiVoice for new or rarely-used administrator accounts.
- Track configuration export and backup operations, including the source account, source IP, and timestamp.
- Review change-management records against administrator CLI activity to surface unauthorized or unjustified secret access.
How to Mitigate CVE-2025-55717
Immediate Actions Required
- Apply the fixed firmware versions referenced in the Fortinet PSIRT advisory for FortiMail, FortiRecorder, and FortiVoice.
- Restrict administrative access to trusted management networks and enforce multi-factor authentication for all administrator accounts.
- Rotate any user secrets, API keys, or credentials that may have been stored on affected devices prior to patching.
Patch Information
Fortinet has published guidance and fixed release information in the Fortinet Security Advisory FG-IR-26-080. Administrators should consult the advisory for the specific patched versions corresponding to their deployed FortiMail, FortiRecorder, or FortiVoice release train and upgrade accordingly.
Workarounds
- Limit the number of accounts with administrative CLI access and apply role-based access control to minimize exposure.
- Place management interfaces behind a dedicated out-of-band network reachable only through jump hosts with session recording.
- Audit existing administrator accounts and remove dormant or unnecessary privileged users until patching is complete.
# Example: restrict administrative access to a trusted subnet (FortiMail CLI)
config system accprofile
edit "admin_restricted"
set admingrp read
next
end
config system admin
edit "netops"
set trusthost1 10.10.0.0 255.255.255.0
set accprofile "admin_restricted"
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
