CVE-2025-57823 is a vulnerability in Fortinet FortiAuthenticator versions 6.3.x through 6.6.6 that allows an authenticated attacker with sponsor-level permissions to perform forced browsing attacks to read and download device logs. FortiAuthenticator is a device used for identity and access management, including multi-factor authentication and single sign-on. The vulnerability arises because certain endpoints exposing device logs are accessible without proper authorization checks beyond the sponsor role. An attacker who has at least sponsor privileges can directly request these endpoints and retrieve sensitive log data, which may include authentication attempts, user activity, or system events. This information disclosure does not allow modification of logs or disruption of service, and no user interaction beyond authentication is required. The CVSS 3.1 score of 2.6 reflects a low severity impact, primarily due to the limited confidentiality impact and the requirement for elevated privileges (PR:H). The attack vector is network-based (AV:N), and no user interaction is needed (UI:N). No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in August 2025 and published in December 2025. Fortinet has not yet published patches or mitigation guidance, but standard best practices apply. This vulnerability could be leveraged by malicious insiders or attackers who have compromised sponsor-level accounts to gather intelligence for further attacks or lateral movement.

For European organizations, the primary impact of CVE-2025-57823 is the unauthorized disclosure of sensitive device logs from FortiAuthenticator appliances. These logs may contain detailed authentication records, user activity, and system events that could reveal internal network structure, user behavior, or security controls. Exposure of such information can facilitate targeted attacks, social engineering, or privilege escalation attempts. Although the vulnerability does not allow direct system compromise or service disruption, the leakage of logs can undermine confidentiality and aid attackers in reconnaissance. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive information is exposed. The requirement for sponsor-level authentication limits the scope to insiders or attackers who have already gained elevated access, reducing the likelihood of widespread exploitation. However, given the critical role of FortiAuthenticator in identity management, any compromise or information leakage can have cascading effects on overall security posture.

To mitigate CVE-2025-57823, organizations should first audit and restrict sponsor-level permissions to only trusted personnel, minimizing the number of users who can exploit this vulnerability. Implement strict access controls and monitor logs for unusual access patterns to the FortiAuthenticator device, especially attempts to access log endpoints. Network segmentation should be employed to limit access to FortiAuthenticator management interfaces to authorized administrators only. Fortinet customers should stay alert for official patches or updates addressing this vulnerability and apply them promptly once available. In the interim, consider disabling or restricting access to the vulnerable endpoints if feasible, or implement web application firewalls (WAFs) to detect and block forced browsing attempts. Regularly review and rotate credentials for sponsor accounts to reduce the risk of compromised credentials being used. Additionally, integrate FortiAuthenticator logs with centralized security information and event management (SIEM) systems to enhance detection of suspicious activities related to this vulnerability.