#VU111052 Improper handling of insufficient permissions or privileges in FortiPAM and FortiSRA - CVE-2025-22256

Cybersecurity Help s.r.o.

Published: 2025-06-11

Vulnerability identifier: #VU111052

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-22256

CWE-ID: CWE-280

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FortiPAM
Server applications / Directory software, identity management
FortiSRA
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper handling of insufficient permissions or privileges in GUI websocket. A remote authenticated user can exploit this vulnerability to read and manipulate data.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FortiPAM: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.4.0, 1.4.1

FortiSRA: 1.4.0 - 1.4.1

External links
https://www.fortiguard.com/psirt/FG-IR-25-008

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper handling of insufficient permissions or privileges in FortiPAM and FortiSRA