CVE-2025-59809 - Vulnerability Details

- Authenticated SSRF Allows Discovery of Internal Services in FortiSOAR

Description

A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.

Published: 2026-04-14

Score: 4.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Fortinet FortiSOAR PaaS and on‑premise versions contain a server‑side request forgery (SSRF) flaw (CWE‑918). An authenticated attacker can send crafted requests that cause FortiSOAR to reach internal ports, allowing discovery of services running on the local host. The primary impact is that an attacker gains visibility into the internal network and can use this information for lateral movement or other attacks.

Affected Systems

Affected products include FortiSOAR on‑premise versions 7.3.x through 7.6.4, and FortiSOAR PaaS versions 7.3.x through 7.6.4. All sub‑versions listed in the CNA CPE data are impacted. Both on‑premise and PaaS deployments must be addressed.

Risk and Exploitability

The CVSS score is 4.1, indicating moderate severity. No EPSS data is available and the vulnerability is not listed in the KEV catalog. Exploitation requires valid authentication and crafted requests, so the likelihood is moderate but limited to users with access. The risk is primarily the exposure of internal services, and remediation is advised promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortinet

FortiSOAR on-premise

unaffected

Version	Status	Constraints
`7.6.4`	affected	—
`7.6.0`	affected	≤ 7.6.2
`7.5.0`	affected	≤ 7.5.2
`7.4.0`	affected	≤ 7.4.5
`7.3.0`	affected	≤ 7.3.3

Fortinet

FortiSOAR PaaS

unaffected

Version	Status	Constraints
`7.6.4`	affected	—
`7.6.0`	affected	≤ 7.6.2
`7.5.0`	affected	≤ 7.5.2
`7.4.0`	affected	≤ 7.4.5
`7.3.0`	affected	≤ 7.3.3

No data.

Vendor Product Confidence Versions

Fortinet

Fortisoaron-premise

98%

Version	Status	Scheme	Platform
`7.6.4`	affected	semver	—
`[7.6.0,7.6.2]`	affected	semver	—
`[7.5.0,7.5.2]`	affected	semver	—
`[7.4.0,7.4.5]`	affected	semver	—
`[7.3.0,7.3.3]`	affected	semver	—

Fortinet

Fortisoarpaas

98%

Version	Status	Scheme	Platform
`7.6.4`	affected	semver	—
`[7.6.0,7.6.2]`	affected	semver	—
`[7.5.0,7.5.2]`	affected	semver	—
`[7.4.0,7.4.5]`	affected	semver	—
`[7.3.0,7.3.3]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to FortiSOAR on-premise version 7.6.5 or above Upgrade to FortiSOAR on-premise version 7.6.3 or above Upgrade to upcoming FortiSOAR on-premise version 7.5.3 or above Upgrade to FortiSOAR PaaS version 7.6.5 or above Upgrade to FortiSOAR PaaS version 7.6.3 or above Upgrade to upcoming FortiSOAR PaaS version 7.5.3 or above

OpenCVE Recommended Actions

Upgrade FortiSOAR to a version that remediates the SSRF vulnerability. For on‑premise deployments, apply version 7.6.5 or later. For PaaS, apply version 7.6.5 or later.
After upgrading, test that internal port requests made via FortiSOAR are rejected or blocked to confirm the vulnerability is closed.
Continuously monitor authentication sessions and system logs for any attempted SSRF activity and enforce network segmentation to limit internal side‑channel access.

Generated by OpenCVE AI on April 14, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-26-103

History

Wed, 15 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
Title		Authenticated SSRF Allows Discovery of Internal Services in FortiSOAR

Tue, 14 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.
First Time appeared		Fortinet Fortinet fortisoaron-premise Fortinet fortisoarpaas
Weaknesses		CWE-918
CPEs		cpe:2.3:a:fortinet:fortisoaron-premise:7.3.0:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.3.1:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.3.2:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.3.3:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.4.0:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.4.1:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.4.2:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.4.3:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.4.4:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.4.5:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.5.0:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.5.1:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.5.2:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.6.0:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.6.1:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.6.2:::::::* cpe:2.3:a:fortinet:fortisoaron-premise:7.6.4:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.3.0:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.3.1:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.3.2:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.3.3:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.4.0:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.4.1:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.4.2:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.4.3:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.4.4:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.4.5:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.5.0:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.5.1:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.5.2:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.6.0:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.6.1:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.6.2:::::::* cpe:2.3:a:fortinet:fortisoarpaas:7.6.4:::::::*
Vendors & Products		Fortinet Fortinet fortisoaron-premise Fortinet fortisoarpaas
References		https://fortiguard.fortinet.com/psirt/FG-IR-26-103
Metrics		cvssV3_1 `{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C'}`

Subscriptions

Fortinet Fortisoaron-premise Fortisoarpaas

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2026-04-14T15:38:15.104Z

Updated: 2026-04-14T16:46:16.247Z

Reserved: 2025-09-22T08:19:21.055Z

Link: CVE-2025-59809

Vulnrichment

Updated: 2026-04-14T16:37:22.845Z

NVD

Status : Received

Published: 2026-04-14T16:16:31.103

Modified: 2026-04-14T16:16:31.103

Link: CVE-2025-59809

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object