Unauthenticated access to local configuration Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-25-260 Final 1 1 2026-01-13T00:00:00 Current version 2026-01-13T00:00:00 2026-01-13T00:00:00 An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiFone Web Portal page may allow an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. None Improper access control None Internally discovered and reported by Théo Leleu from Fortinet Product Security team. FortiFone 7.0.1 FortiFone 7.0.0 FortiFone 3.0.23 FortiFone 3.0.22 FortiFone 3.0.21 FortiFone 3.0.20 FortiFone 3.0.19 FortiFone 3.0.18 FortiFone 3.0.17 FortiFone 3.0.16 FortiFone 3.0.15 FortiFone 3.0.14 FortiFone 3.0.13 CVE-2025-47855 FortiFone-7.0.1 FortiFone-7.0.0 FortiFone-3.0.23 FortiFone-3.0.22 FortiFone-3.0.21 FortiFone-3.0.20 FortiFone-3.0.19 FortiFone-3.0.18 FortiFone-3.0.17 FortiFone-3.0.16 FortiFone-3.0.15 FortiFone-3.0.14 FortiFone-3.0.13 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-25-260 Unauthenticated access to local configuration Reference>