What is CVE-2025-59809?

A medium-severity server-side request forgery vulnerability in Fortinet FortiSOAR could allow authenticated attackers to discover local services. Immediate action is recommended to mitigate potential risks.

What is the severity of CVE-2025-59809?

CVE-2025-59809 has a severity rating of MEDIUM with a CVSS base score of 4.3.

CVE-2025-59809 | Medium Vulnerability in Fortinet FortiSOAR

CVE-2025-59809 is classified as a server-side request forgery (SSRF) vulnerability affecting multiple versions of Fortinet FortiSOAR. This vulnerability allows authenticated attackers to exploit crafted requests to discover services running on local ports. The severity of this vulnerability is rated as medium, with a CVSS score of 4.3, indicating potential risks that organizations should not ignore.

The vulnerability affects FortiSOAR PaaS versions 7.6.4, 7.6.0 through 7.6.2, 7.5.0 through 7.5.2, and all versions of FortiSOAR PaaS 7.4 and 7.3, as well as on-premise versions matching these criteria. Organizations using these versions are at risk and should take immediate action.

This vulnerability allows attackers to potentially enumerate services, which could lead to further exploitation within the system. Organizations must assess their exposure and prioritize remediation, especially considering the likelihood of exploitation remains a concern.

Given the nature of the vulnerability and the potential risks to sensitive data and infrastructure, organizations should prioritize patching immediately. The security implications of SSRF vulnerabilities can be significant, and timely updates are crucial.

Vulnerability Details

The official CVE description indicates that CVE-2025-59809 is a server-side request forgery (SSRF) vulnerability in Fortinet FortiSOAR, specifically identified as CWE-918. The vulnerability is present in the following versions: FortiSOAR PaaS 7.6.4, 7.6.0 through 7.6.2, 7.5.0 through 7.5.2, and FortiSOAR on-premise versions 7.6.4, 7.6.0 through 7.6.2, 7.5.0 through 7.5.2, as well as all versions of FortiSOAR PaaS 7.4 and 7.3.

The CVSS score for this vulnerability is 4.3, which is classified as medium severity. This indicates a moderate level of risk, primarily due to the potential for unauthorized access to local services. The CVSS vector indicates that the attack vector is network-based, with low attack complexity and low privileges required for exploitation.

The vulnerability was published on April 14, 2026, and the last modification was made on May 6, 2026. Organizations must stay updated on this vulnerability and apply any necessary patches as soon as they are made available.

Technical Analysis

The root cause of CVE-2025-59809 lies in the improper handling of requests that allow the disclosure of services running on local ports. This flaw can be exploited by authenticated users who can send crafted requests to the server, potentially leading to further attacks within the local network.

The attack vector is classified as network-based (AV:N), meaning that an attacker could exploit the vulnerability remotely. The attack complexity is low (AC:L), indicating that little skill or effort is required to exploit the vulnerability once the attacker has authenticated access. Privileges required for successful exploitation are low (PR:L), allowing attackers with minimal access to exploit the vulnerability.

User interaction is not required (UI:N) to exploit this vulnerability, making it easier for attackers to execute an attack without needing any cooperation from the victim. The confidentiality impact is low (C:L), implying that sensitive information may be disclosed, but the integrity (I:N) and availability (A:N) impacts are none, meaning that the vulnerability does not affect the integrity or availability of the system.

Risk & Impact Analysis

The real-world risk associated with CVE-2025-59809 is significant, as it allows authenticated users to discover local services that could be exploited further. This may lead to unauthorized access to sensitive applications and systems, increasing the potential for more serious attacks.

Organizations should evaluate their exposure based on the deployment of Fortinet FortiSOAR and the versions they are using. Given that this vulnerability affects multiple versions, the blast radius could be extensive, impacting many users within an organization.

The urgency for remediation is classified as medium, given the CVSS score. Organizations should incorporate this vulnerability into their patch management process and address it in their priority patch cycle to mitigate potential risks.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of Fortinet FortiSOAR include PaaS versions 7.6.4, 7.6.0 through 7.6.2, and 7.5.0 through 7.5.2, as well as all versions of FortiSOAR PaaS 7.4 and 7.3. Organizations using these versions should ensure they are patched to the latest version to avoid exposure.

Mitigation & Remediation

Organizations should prioritize the installation of patches provided by Fortinet for FortiSOAR to remediate this vulnerability. Regular updates and security assessments are crucial to maintaining the security posture of deployed solutions.

If a patch is unavailable, organizations should consider implementing strong network controls to limit the exposure of affected services, as well as monitoring for unusual activity that may indicate an attempt to exploit this vulnerability.

Detection Guidance

Organizations should monitor logs for unusual requests that may indicate attempts to exploit this SSRF vulnerability. Key log indicators include requests that target internal services or unexpected ports.

Additionally, behavioral anomalies such as unusual patterns of access or authentication failures should be investigated. Network signatures that are indicative of SSRF attempts may also provide valuable detection capabilities.

AppSecure Threat Intelligence Insight

CVE-2025-59809 highlights the importance of secure coding practices and the need for comprehensive security assessments. Organizations should review their security protocols and ensure that all services are properly secured against SSRF vulnerabilities.

As this vulnerability shows, even authenticated users can pose significant risks if proper controls are not in place. Regular security training and awareness initiatives can help mitigate risks associated with insider threats.

A well-defined vulnerability management program is essential for keeping systems secure and identifying weaknesses before they can be exploited.

Regular penetration testing is vital for understanding the attack surface and improving the overall security posture.

Following API security best practices can also help organizations defend against SSRF vulnerabilities and enhance their security frameworks.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-59809: Medium Vulnerability in Fortinet FortiSOAR