CVE-2025-61713 is a cleartext storage of sensitive information vulnerability (CWE-316) affecting Fortinet FortiPAM versions 1.0.0 through 1.6.0. FortiPAM is a privileged access management solution used to secure administrative credentials and access. The vulnerability arises because sensitive credentials of administrators are stored in cleartext in memory and can be retrieved by an attacker with authenticated read-write administrative privileges via specific diagnose CLI commands. This means an attacker who already has high-level access to the FortiPAM CLI can extract other administrators' credentials, potentially escalating their privileges or moving laterally within the network. The vulnerability does not require exploitation from an unauthenticated attacker and does not directly impact system integrity or availability. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C) reflects that the attack requires local access, low complexity, high privileges, and user interaction, with a primary impact on confidentiality. No public exploits are known, and Fortinet has not yet released patches. The vulnerability was published on November 18, 2025, with a reserved date of September 30, 2025.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of privileged credentials managed by FortiPAM. If exploited, an attacker with administrative CLI access could harvest credentials of other administrators, potentially leading to unauthorized access to critical systems and sensitive data. This could facilitate insider threats, lateral movement, or privilege escalation within the enterprise environment. Although the vulnerability does not affect system availability or integrity directly, the compromise of administrative credentials can have severe downstream effects on security posture. Organizations in sectors such as finance, government, energy, and telecommunications that rely heavily on FortiPAM for privileged access management are particularly at risk. The requirement for high privileges and CLI access limits the attack surface but underscores the importance of securing administrative interfaces. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially from insider attackers or advanced persistent threats targeting privileged accounts.

1. Apply vendor patches promptly once Fortinet releases updates addressing this vulnerability. 2. Restrict CLI access to FortiPAM strictly to trusted administrators and enforce the principle of least privilege. 3. Implement multi-factor authentication (MFA) for all administrative access to reduce the risk of credential compromise. 4. Monitor and audit CLI commands and sessions for unusual or unauthorized activity, focusing on diagnose commands that could reveal credentials. 5. Segregate administrative networks and use jump servers or bastion hosts to control access to FortiPAM management interfaces. 6. Regularly rotate administrative credentials and consider using hardware security modules (HSMs) or vaults that minimize exposure of plaintext credentials in memory. 7. Conduct security awareness training for administrators about the risks of credential exposure and proper handling of privileged access. 8. Employ endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of credential harvesting attempts.