CVE-2025-54822 is an improper access control vulnerability classified under CWE-285 affecting Fortinet FortiProxy and FortiOS products. Specifically, versions 7.4.0 through 7.4.1 and versions prior to 7.2.8 are vulnerable. The flaw allows an authenticated attacker to bypass authorization checks and access static files belonging to other Virtual Domains (VDOMs) within the same FortiProxy or FortiOS instance. This is achieved by crafting specific HTTP or HTTPS requests that exploit the improper validation of access permissions across VDOM boundaries. VDOMs are logical partitions used to segregate network traffic and policies within a single device, often employed in multi-tenant or segmented environments. The vulnerability does not require user interaction but does require the attacker to have valid credentials with at least some level of access (PR:L in CVSS). The CVSS vector indicates network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and limited confidentiality impact (partial data disclosure). No integrity or availability impacts are noted. The vulnerability was published on October 14, 2025, and no public exploits are known at this time. The lack of patch links suggests that remediation may be pending or that users should upgrade to versions beyond 7.4.1 or 7.2.8 where the issue is fixed. This vulnerability is significant in environments where multiple VDOMs are used to separate tenants or departments, as unauthorized access to static files could lead to leakage of sensitive configuration or operational data.

For European organizations, the primary impact of CVE-2025-54822 is the potential unauthorized disclosure of sensitive information stored in static files across VDOM boundaries. This can compromise confidentiality, especially in multi-tenant environments such as managed service providers, large enterprises, or government agencies that use FortiProxy or FortiOS to segment network traffic. Although the vulnerability does not affect integrity or availability, the exposure of sensitive files could lead to further attacks, including reconnaissance or lateral movement. Organizations handling regulated data under GDPR must consider the risk of data leakage and potential compliance violations. The requirement for authentication limits the attack surface to insiders or compromised accounts, but the ease of exploitation (low complexity) increases risk if credentials are leaked or weakly protected. The absence of known exploits provides a window for proactive mitigation. The impact is heightened in critical infrastructure sectors such as finance, energy, and telecommunications, where Fortinet devices are widely deployed and data confidentiality is paramount.

1. Immediately upgrade Fortinet FortiProxy and FortiOS to versions later than 7.4.1 and 7.2.8 respectively, where the vulnerability is patched. 2. Restrict administrative and management interface access to trusted networks and IP addresses using firewall rules and VPNs to reduce exposure to authenticated attackers. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), for all users with access to Fortinet devices to prevent credential compromise. 4. Regularly audit user accounts and permissions to ensure least privilege principles are applied, minimizing the number of users with access to VDOMs. 5. Monitor logs for unusual access patterns or attempts to access unauthorized VDOM resources, enabling early detection of exploitation attempts. 6. Segment network management traffic from general user traffic to reduce the risk of lateral movement. 7. Educate administrators on the risks of improper access control and the importance of timely patching. 8. If immediate patching is not possible, consider disabling or limiting the use of VDOMs or static file access features until a fix is applied.