CVE-2025-52970
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-15
Assigner: Fortinet, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortiweb | From 7.0.0 (inc) to 7.0.11 (exc) |
| fortinet | fortiweb | From 7.2.0 (inc) to 7.2.11 (exc) |
| fortinet | fortiweb | From 7.4.0 (inc) to 7.4.8 (exc) |
| fortinet | fortiweb | From 7.6.0 (inc) to 7.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-233 | The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is due to improper handling of parameters in certain versions of Fortinet FortiWeb. It allows an unauthenticated remote attacker, who has some non-public information about the device and targeted user, to send a specially crafted request that can grant them administrative privileges on the device.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain admin privileges on the affected Fortinet FortiWeb device without authentication. This could lead to full control over the device, potentially compromising the security and availability of the protected network and applications.