PSIRT

Information Disclosure on SSLVPN endpoint

Summary

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS SSL-VPN web-mode may allow an authenticated user to access full SSL-VPN settings via crafted URL.

Version	Affected	Solution
FortiOS 7.6	7.6.0	Upgrade to 7.6.1 or above
FortiOS 7.4	7.4.0 through 7.4.7	Upgrade to 7.4.8 or above
FortiOS 7.2	7.2 all versions	Migrate to a fixed release
FortiOS 7.0	7.0 all versions	Migrate to a fixed release
FortiOS 6.4	6.4 all versions	Migrate to a fixed release
FortiSASE 25.2	Not affected	Not Applicable
FortiSASE 25.1	25.1.c	Migrate to a fixed release
FortiSASE 24.4	Not affected	Not Applicable
FortiSASE 23.3	Not affected	Not Applicable
FortiSASE 23.2	Not affected	Not Applicable
FortiSASE 23.1	Not affected	Not Applicable
FortiSASE 22.4	Not affected	Not Applicable

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Timeline

2025-06-10: Initial publication

IR Number	FG-IR-24-257
Published Date	Jun 10, 2025
Component	SSL-VPN
Severity	Low
CVSSv3 Score	3.9
Impact	Information disclosure
CVE ID
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Information Disclosure on SSLVPN endpoint

Summary

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Information Disclosure on SSLVPN endpoint

Summary

Timeline

Threat Intelligence
Center