CVE-2025-46752 is an information disclosure vulnerability identified in Fortinet FortiDLP versions 11.4.5, 11.4.6, 11.5.1, and 12.0.0 through 12.0.5. The vulnerability stems from the improper handling of sensitive data, which is inserted into log files during the enrollment process. An attacker with low privileges and local access can reuse the enrollment code to access these logs and extract sensitive information. The vulnerability does not require user interaction but does require some level of privilege (PR:L) and local access (AV:L), limiting remote exploitation. The flaw impacts confidentiality by exposing sensitive data but does not affect integrity or availability. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates low attack complexity and privileges required, but the local access requirement reduces the attack surface. No public exploits or active exploitation have been reported, but the vulnerability poses a risk to organizations relying on FortiDLP for data loss prevention, especially where enrollment codes and logs contain sensitive information. Fortinet has not yet published patches or mitigation details, so organizations must monitor for updates and implement compensating controls.

For European organizations, the primary impact is the potential exposure of sensitive information through log files, which could lead to unauthorized data disclosure. This is particularly concerning for sectors handling confidential or regulated data, such as finance, healthcare, and government. The local access requirement means that attackers would need to compromise internal systems or gain insider access, which could be facilitated by phishing or lateral movement after initial compromise. The vulnerability could undermine trust in data loss prevention controls and complicate compliance with GDPR and other data protection regulations if sensitive data is leaked. Although no integrity or availability impact is noted, the confidentiality breach alone can result in reputational damage, regulatory fines, and operational disruptions. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks against high-value European entities.

Organizations should immediately inventory their FortiDLP deployments to identify affected versions (11.4.5, 11.4.6, 11.5.1, 12.0.0 to 12.0.5). Until official patches are released, restrict local access to FortiDLP systems to trusted administrators only and enforce strict access controls on log files to prevent unauthorized reading. Monitor logs for unusual access patterns or attempts to reuse enrollment codes. Implement network segmentation to limit lateral movement and reduce the risk of privilege escalation leading to local access. Review and rotate enrollment codes regularly to invalidate any potentially compromised codes. Employ endpoint detection and response (EDR) tools to detect suspicious activities related to FortiDLP components. Stay updated with Fortinet advisories for patches and apply them promptly once available. Additionally, conduct security awareness training to reduce insider threats and phishing risks that could lead to local access.