CVE-2025-55717
Received Received - Intake
Cleartext Sensitive Data Exposure in Fortinet FortiMail and FortiRecorder

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: Fortinet, Inc.

Description
A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0 all versions, FortiRecorder 6.4 all versions, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6 may allow an authenticated malicious administrator to obtain user's secrets via CLI commands. Practical exploitability is limited by conditions out of the control of the attacker: An admin must log in to the targeted device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-55717
EUVD
EUVD-2025-208495
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
fortinet fortivoice From 7.0.0 (inc) to 7.0.7 (exc)
fortinet fortivoice 7.2.0
fortinet fortirecorder From 6.4.0 (inc) to 7.2.4 (exc)
fortinet fortimail From 7.0.0 (inc) to 7.0.9 (exc)
fortinet fortimail From 7.2.0 (inc) to 7.2.8 (exc)
fortinet fortimail From 7.4.0 (inc) to 7.4.5 (exc)
fortinet fortimail From 7.6.0 (inc) to 7.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the cleartext storage of sensitive information in certain Fortinet products, including FortiMail, FortiRecorder, and FortiVoice across various versions. An authenticated malicious administrator who has logged into the device via CLI commands may be able to obtain users' secrets due to this flaw.

However, the exploitability of this vulnerability is limited because the attacker must already have administrative access and be able to log into the targeted device.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow a malicious administrator to access sensitive user information stored in cleartext on the affected devices.

This could lead to unauthorized disclosure of confidential data, potentially compromising user privacy and security.

However, since the attacker must have high-level privileges and physical or remote access to the device, the risk is somewhat mitigated.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart