CVE-2025-52970
HIGHDescription
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
Is your site exposed to CVE-2025-52970?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| fortinet | fortiweb |
| fortinet | fortiweb |
| fortinet | fortiweb |
| fortinet | fortiweb |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-52970? +
How severe is CVE-2025-52970? +
What products are affected by CVE-2025-52970? +
How do I check if I'm vulnerable to CVE-2025-52970? +
Related Vulnerabilities
This vulnerability in Veeam Service Provider Console allows for remote code execution.
An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid …
TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx …
Inappropriate implementation in Google Updator prior to 1.3.36.351 in Google Chrome allowed a local attacker to perform privilege escalation via …
In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain …
Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of …