CVE-2025-54822 is an improper access control vulnerability classified under CWE-285, affecting Fortinet FortiProxy and FortiOS products across multiple versions (FortiProxy 2.0.0, 7.0.x, 7.2.x, 7.4.x and FortiOS 7.0.x, 7.2.x, 7.4.x). The vulnerability arises from insufficient authorization checks when handling HTTP or HTTPS requests targeting static files associated with different Virtual Domains (VDOMs). VDOMs are logical partitions within Fortinet devices that allow segmentation of network traffic and administrative domains. Due to this flaw, an authenticated attacker with limited privileges can craft specific requests to access static files belonging to other VDOMs, thereby bypassing intended access restrictions. This exposure can lead to unauthorized disclosure of sensitive configuration or operational data stored in these files. The vulnerability does not impact data integrity or availability, nor does it require user interaction, but it does require the attacker to have some level of authenticated access to the device. The CVSS v3.1 base score is 4.2, reflecting a medium severity primarily due to the confidentiality impact and the requirement for authentication. No public exploit code or active exploitation has been reported as of the publication date. The vulnerability affects a broad range of Fortinet products widely deployed in enterprise and service provider environments, especially where multi-VDOM configurations are used for network segmentation and management.

For European organizations, the impact of CVE-2025-54822 centers on unauthorized disclosure of sensitive information across VDOM boundaries within Fortinet FortiProxy and FortiOS devices. Many enterprises and service providers in Europe rely on Fortinet products for secure network segmentation and traffic management. Exploitation could allow attackers with authenticated access—potentially via compromised credentials or insider threats—to access static files containing configuration data or other sensitive information from other VDOMs, potentially exposing network topology, security policies, or other confidential data. While the vulnerability does not allow modification or disruption of services, the confidentiality breach could facilitate further attacks or lateral movement within segmented networks. This risk is particularly relevant for organizations with strict data protection requirements under GDPR, as unauthorized data exposure could lead to compliance violations and reputational damage. The absence of known exploits reduces immediate risk, but the medium severity rating and broad product impact necessitate timely mitigation to prevent potential exploitation.

To mitigate CVE-2025-54822, European organizations should: 1) Immediately identify and inventory all Fortinet FortiProxy and FortiOS devices running affected versions, especially those configured with multiple VDOMs. 2) Apply vendor-supplied patches or updates as soon as they become available; monitor Fortinet advisories closely since no patch links were provided at the time of disclosure. 3) Restrict administrative and user access to Fortinet devices to the minimum necessary privileges, enforcing strong authentication mechanisms such as multi-factor authentication (MFA). 4) Monitor device logs for unusual HTTP/HTTPS requests that may indicate attempts to access unauthorized VDOM files. 5) Implement network segmentation and access controls to limit exposure of management interfaces to trusted networks only. 6) Conduct regular security audits and penetration tests focusing on multi-VDOM configurations to detect potential access control weaknesses. 7) Educate administrators about the risks of improper access control and the importance of promptly applying security updates. These steps will reduce the attack surface and help prevent exploitation of the vulnerability.