CVE-2025-54658 is a path traversal vulnerability classified under CWE-22 found in the Outlookproxy plugin of Fortinet's FortiDLP Agent for macOS versions ranging from 10.3.1 up to 11.5.1. The flaw allows an authenticated attacker to send specially crafted requests to a local listening port on the affected system, bypassing pathname restrictions intended to limit access to sensitive directories. This improper limitation enables the attacker to escalate their privileges from a limited user to root, effectively gaining full control over the system. The vulnerability does not require user interaction and has low attack complexity, but does require the attacker to be authenticated on the system. The impact covers confidentiality, integrity, and availability, as root access allows arbitrary code execution, data exfiltration, and system disruption. FortiDLP is a data loss prevention solution widely used in enterprise environments to monitor and protect sensitive data, making this vulnerability particularly concerning. Although no exploits have been reported in the wild yet, the vulnerability's characteristics and the critical nature of the affected product underscore the urgency of mitigation. The CVSS v3.1 base score is 7.2, with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C, indicating local attack vector, low complexity, required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. The vulnerability was reserved in July 2025 and published in October 2025, with Fortinet as the assigner.

For European organizations, this vulnerability poses a significant risk due to the potential for attackers to gain root access on macOS systems running FortiDLP. Such access can lead to unauthorized disclosure of sensitive data, manipulation or deletion of critical information, and disruption of data loss prevention capabilities. Given FortiDLP's role in protecting intellectual property and compliance-related data, exploitation could result in regulatory penalties under GDPR and damage to organizational reputation. The local attack vector means that attackers must have some level of access, such as compromised credentials or insider threat scenarios, which are realistic in targeted attacks. The lack of required user interaction facilitates automated exploitation once authenticated access is obtained. The vulnerability could also be leveraged as a pivot point for lateral movement within networks, increasing the scope of compromise. European sectors with high reliance on Fortinet solutions and macOS endpoints, such as finance, healthcare, and government, face elevated risks. The absence of known exploits in the wild provides a window for proactive defense, but the high impact and ease of exploitation necessitate urgent mitigation.

European organizations should immediately verify the presence of affected FortiDLP versions on macOS endpoints and prioritize upgrading to patched versions once available from Fortinet. In the interim, restrict access to the local listening port used by the Outlookproxy plugin through host-based firewalls or network segmentation to limit exposure. Implement strict access controls and monitor authentication logs for unusual activity that could indicate attempts to exploit this vulnerability. Employ endpoint detection and response (EDR) solutions to detect privilege escalation behaviors and anomalous process executions. Conduct regular audits of user privileges to minimize the number of accounts with local access. Educate users and administrators about the risks of credential compromise and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Collaborate with Fortinet support to obtain any available patches or workarounds and stay informed about updates or exploit disclosures. Finally, integrate this vulnerability into incident response plans to ensure rapid containment if exploitation is detected.