CVE-2025-59808

Description

An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password

CVSS breakdown

Affected products

• fortinet / fortisoaron-premise7.3.1 – 7.3.1
• fortinet / fortisoaron-premise7.3.0 – 7.3.0
• fortinet / fortisoaron-premise7.6.2 – 7.6.2
• fortinet / fortisoaron-premise7.6.1 – 7.6.1
• fortinet / fortisoaron-premise7.6.0 – 7.6.0
• fortinet / fortisoaron-premise7.5.1 – 7.5.1
• fortinet / fortisoaron-premise7.5.0 – 7.5.0
• fortinet / fortisoaron-premise7.4.5 – 7.4.5
• fortinet / fortisoaron-premise7.4.4 – 7.4.4
• fortinet / fortisoaron-premise7.4.3 – 7.4.3
• fortinet / fortisoaron-premise7.4.2 – 7.4.2
• fortinet / fortisoaron-premise7.4.1 – 7.4.1
• fortinet / fortisoaron-premise7.4.0 – 7.4.0
• fortinet / fortisoaron-premise7.3.3 – 7.3.3
• fortinet / fortisoaron-premise7.3.2 – 7.3.2
• fortinet / fortisoarpaas7.3.0 – 7.3.0
• fortinet / fortisoarpaas7.4.4 – 7.4.4
• fortinet / fortisoarpaas7.6.2 – 7.6.2
• fortinet / fortisoarpaas7.6.1 – 7.6.1
• fortinet / fortisoarpaas7.6.0 – 7.6.0
• fortinet / fortisoarpaas7.5.1 – 7.5.1
• fortinet / fortisoarpaas7.5.0 – 7.5.0
• fortinet / fortisoarpaas7.4.3 – 7.4.3
• fortinet / fortisoarpaas7.4.2 – 7.4.2
• fortinet / fortisoarpaas7.4.1 – 7.4.1
• fortinet / fortisoarpaas7.4.0 – 7.4.0
• fortinet / fortisoarpaas7.3.3 – 7.3.3
• fortinet / fortisoarpaas7.3.2 – 7.3.2
• fortinet / fortisoarpaas7.3.1 – 7.3.1
• fortinet / fortisoarpaas7.4.5 – 7.4.5

References

• VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-25-599