CVE-2025-59808

Summary

An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSOAR on-premise7.6.0 <= 7.6.2affected
FortinetFortiSOAR on-premise7.5.0 <= 7.5.1affected
FortinetFortiSOAR on-premise7.4.0 <= 7.4.5affected
FortinetFortiSOAR on-premise7.3.0 <= 7.3.3affected
FortinetFortiSOAR PaaS7.6.0 <= 7.6.2affected
FortinetFortiSOAR PaaS7.5.0 <= 7.5.1affected
FortinetFortiSOAR PaaS7.4.0 <= 7.4.5affected
FortinetFortiSOAR PaaS7.3.0 <= 7.3.3affected

Weaknesses

  • CWE-620: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References