CVE-2025-59808 is an improper access control vulnerability identified in Fortinet FortiSOAR on-premise and PaaS versions 7.3.0 through 7.6.2. The flaw allows an attacker who has already gained access to a victim’s user account to reset the account’s password without providing the current password, violating standard authentication controls (CWE-620). This vulnerability arises from insufficient verification during the password change process, enabling unauthorized credential modification. The attacker requires low privileges (PR:L) and network access (AV:N) but does not require user interaction (UI:N). The vulnerability affects the integrity and availability of the system by allowing attackers to escalate privileges or lock out legitimate users, potentially disrupting security operations managed through FortiSOAR. The CVSS v3.1 score of 6.5 reflects medium severity, with high impact on integrity and availability, and exploitation complexity rated as high due to the prerequisite of existing account access. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. FortiSOAR is widely used for security orchestration, automation, and response (SOAR), making this vulnerability critical in environments relying on automated incident response workflows.

For European organizations, this vulnerability could lead to unauthorized account takeovers within FortiSOAR platforms, undermining the integrity of automated security operations and incident response processes. Attackers exploiting this flaw could disrupt security workflows, disable or manipulate automated responses, and potentially gain further access to connected security tools and data. This could result in delayed detection and response to cyber incidents, increasing the risk of data breaches or operational disruptions. Organizations in critical infrastructure sectors such as finance, energy, and government, which heavily rely on FortiSOAR for security automation, face heightened risks. The vulnerability could also facilitate lateral movement within networks if attackers leverage compromised FortiSOAR accounts to escalate privileges or pivot to other systems. The medium severity rating indicates a significant but not immediately critical threat, emphasizing the need for timely remediation to avoid operational impact.

Organizations should immediately verify their FortiSOAR version and plan to upgrade to a patched release once available from Fortinet. In the absence of patches, implement strict access controls and monitor user account activities closely, especially password change events. Enforce multi-factor authentication (MFA) on all FortiSOAR accounts to reduce the risk of account compromise. Limit user privileges to the minimum necessary to reduce the impact of compromised accounts. Conduct regular audits of user accounts and password policies to detect anomalies. Network segmentation should be applied to restrict access to FortiSOAR management interfaces only to trusted administrators. Employ logging and alerting on suspicious password reset attempts or unusual account behavior. Additionally, consider integrating FortiSOAR with external identity providers that enforce stronger authentication and password management policies. Finally, maintain an incident response plan that includes procedures for rapid account recovery and forensic analysis in case of exploitation.