CVE-2025-52970

CVE Database · CVE-2025-52970

CVE-2025-52970

· HIGHAnalyzed

CVSS v3.1

8.1

EPSS

10.67%

Published

Aug 12, 2025

Modified

Aug 15, 2025

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-233

Affected Products (4)

fortinet · fortiweb (up to 7.0.11)vulnerable

fortinet · fortiweb (up to 7.2.11)vulnerable

fortinet · fortiweb (up to 7.4.8)vulnerable

fortinet · fortiweb (up to 7.6.4)vulnerable

References (2)

https://fortiguard.fortinet.com/psirt/FG-IR-25-448

Vendor Advisory

https://pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs