CVE-2025-54658 is a path traversal vulnerability (CWE-22) found in the Fortinet FortiDLP Agent's Outlookproxy plugin on macOS platforms ranging from versions 10.3.1 to 11.5.1. The vulnerability allows an authenticated attacker to send specially crafted requests to a local listening port, bypassing pathname restrictions to access restricted directories. This improper limitation of pathname enables the attacker to escalate privileges from a lower-level user to root, effectively gaining full control over the affected system. The vulnerability is classified as high severity with a CVSS 3.1 score of 7.2, reflecting its significant impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component and system. The exploit could allow attackers to manipulate sensitive data, disrupt system operations, or install persistent malware. Although no public exploits are known at this time, the presence of a local listening port and the ability to escalate privileges make this a critical concern for environments where FortiDLP is deployed on macOS. Fortinet has not yet released patches or mitigation guidance, increasing the urgency for organizations to implement compensating controls.

For European organizations, the impact of CVE-2025-54658 is substantial, especially those relying on Fortinet FortiDLP for data loss prevention on macOS endpoints. Successful exploitation leads to root-level access, compromising system confidentiality and integrity, and potentially causing availability disruptions. This could result in unauthorized data access, manipulation, or deletion, undermining compliance with GDPR and other data protection regulations. Critical sectors such as finance, healthcare, and government, which often deploy FortiDLP for sensitive data monitoring, face heightened risks of data breaches and operational disruptions. The requirement for local authentication limits remote exploitation but does not eliminate risk, as insider threats or compromised user accounts could trigger attacks. The lack of known exploits currently provides a window for proactive defense, but the vulnerability's nature demands urgent attention to prevent escalation and lateral movement within networks.

Given the absence of official patches, European organizations should implement immediate compensating controls. Restrict local access to macOS systems running FortiDLP, enforcing strict user authentication and limiting administrative privileges. Monitor and restrict access to the local listening port used by the Outlookproxy plugin through host-based firewalls or endpoint security solutions. Employ application whitelisting and behavior monitoring to detect anomalous requests or privilege escalation attempts. Regularly audit user accounts and session activities to identify suspicious local interactions. Coordinate with Fortinet support for any available interim fixes or configuration changes that reduce exposure. Plan for rapid deployment of official patches once released. Additionally, educate users about the risks of local privilege escalation and enforce strong endpoint security hygiene to minimize insider threat vectors.