CVE-2025-59808Unverified Password Change in Fortinet Fortisoar

CWE-620Unverified Password Change4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 76.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Fortinet FortisoarFortinet Fortisoar On-premiseFortinet Fortisoar Paas
Timeline
PublishedDec 9

Description

An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without b

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.6 | Impact: 5.2

Affected Packages3 packages

CVEListV5fortinet/fortisoar_paas7.6.07.6.2+3
CVEListV5fortinet/fortisoar_on-premise7.6.07.6.2+3
NVDfortinet/fortisoar7.3.07.5.2+1

🔴Vulnerability Details

2
CVEList
CVE-2025-59808: An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 72025-12-09
GHSA
GHSA-787x-8wcq-jhq8: An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 72025-12-09

📋Vendor Advisories

1
Fortinet
Current password requirement bypass for self password change2025-12-09
CVE-2025-59808 — Unverified Password Change in Fortinet | cvebase