Severity
Medium
Analysis Summary
CVE-2025-59810 CVSS:6.5
Fortinet FortiSOAR PaaS and FortiSOAR on-premise allow information disclosure to an authenticated attacker using specially crafted requests, caused by an improper access control vulnerability vulnerability.
CVE-2025-59808 CVSS:6.8
Fortinet FortiSOAR PaaS and FortiSOAR on-premise allows an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password, caused by an unverified password change vulnerability.
CVE-2025-61631 CVSS:5.6
Fortinet FortiOS allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user's password change under particular conditions outside of the attacker's control, caused by an insufficient session expiration vulnerability.
CVE-2025-64156 CVSS:7.2
Fortinet FortiVoice is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2025-59923 CVSS:2.7
Fortinet FortiAuthenticator may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests, caused by an improper access control vulnerability.
Impact
- Gain Access
- Data Manipulation
- Information Disclosure
Indicators of Compromise
CVE
CVE-2025-59810
CVE-2025-59808
CVE-2025-61631
CVE-2025-64156
CVE-2025-59923
Affected Vendors
- Fortinet
Affected Products
- Fortinet FortiSOAR on-premise 7.6.0
- Fortinet FortiSOAR PaaS
- Fortinet FortiVoice 7.2.0
- Fortinet FortiAuthenticator 6.6.0
Remediation
Refer to Fortinet Security Advisory for patch, upgrade or suggested workaround information.