Main Vulnerability Database Vulnerabilities #VU119451

Direct Request ('Forced Browsing') in FortiAuthenticator - CVE-2025-57823

Published: December 9, 2025

Vulnerability identifier: #VU119451

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-57823

CWE-ID: CWE-425

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Fortinet, Inc

Affected software:
FortiAuthenticator

Detailed vulnerability description

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to direct request ('forced browsing') on log access. An authenticated attacker with at least sponsor permissions can read and download device logs via accessing specific endpoints.

How to mitigate CVE-2025-57823

Install update from vendor's website.

Sources

https://www.fortiguard.com/psirt/FG-IR-25-554

Direct Request ('Forced Browsing') in FortiAuthenticator - CVE-2025-57823

Detailed vulnerability description

How to mitigate CVE-2025-57823

Sources

Please verify you're human