CVE-2025-48418

Summary

A hidden functionality vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.0 through 7.2.10, FortiAnalyzer 7.0.0 through 7.0.14, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7, FortiAnalyzer Cloud 7.2.1 through 7.2.10, FortiAnalyzer Cloud 7.0.1 through 7.0.14, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.0 through 7.2.10, FortiManager 7.0.0 through 7.0.14, FortiManager 6.4 all versions, FortiManager Cloud 7.6.2 through 7.6.3, FortiManager Cloud 7.4.1 through 7.4.7, FortiManager Cloud 7.2.1 through 7.2.10, FortiManager Cloud 7.0.1 through 7.0.14, FortiManager Cloud 6.4 all versions may allow a remote authenticated read-only admin with CLI access to escalate their privilege via use of a hidden command.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiAnalyzer7.6.0 <= 7.6.3affected
FortinetFortiAnalyzer7.4.0 <= 7.4.7affected
FortinetFortiAnalyzer7.2.0 <= 7.2.10affected
FortinetFortiAnalyzer7.0.0 <= 7.0.14affected
FortinetFortiAnalyzer6.4.0 <= 6.4.15affected
FortinetFortiAnalyzer Cloud7.6.2affected
FortinetFortiAnalyzer Cloud7.4.1 <= 7.4.7affected
FortinetFortiAnalyzer Cloud7.2.1 <= 7.2.10affected
FortinetFortiAnalyzer Cloud7.0.1 <= 7.0.14affected
FortinetFortiAnalyzer Cloud6.4.1 <= 6.4.7affected
FortinetFortiManager7.6.0 <= 7.6.3affected
FortinetFortiManager7.4.0 <= 7.4.7affected
FortinetFortiManager7.2.0 <= 7.2.10affected
FortinetFortiManager7.0.0 <= 7.0.14affected
FortinetFortiManager6.4.0 <= 6.4.15affected
FortinetFortiManager Cloud7.6.2 <= 7.6.3affected
FortinetFortiManager Cloud7.4.1 <= 7.4.7affected
FortinetFortiManager Cloud7.2.1 <= 7.2.10affected
FortinetFortiManager Cloud7.0.1 <= 7.0.14affected
FortinetFortiManager Cloud6.4.1 <= 6.4.7affected

Weaknesses

  • CWE-912: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References