CVE-2025-47855:
Critical information exposure vulnerability in Fortinet FortiFone devices allows unauthorized access to device configuration.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Jan 13, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:1.2
- EPSS Percentile:79%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Critical information exposure vulnerability in Fortinet FortiFone devices allows unauthorized access to device configuration.
Overview
The vulnerability in Fortinet FortiFone devices presents a severe security risk due to its critical nature and ease of exploitation. Affecting multiple versions of the FortiFone product line, this flaw enables unauthenticated attackers to access sensitive configuration data remotely. The vulnerability's high CVSS score of 9.8 reflects its potential for significant impact, with high ratings for confidentiality, integrity, and availability impacts. The attack vector is network-based, requires no privileges or user interaction, and has low attack complexity, making it particularly dangerous. This exposure of sensitive information could lead to further attacks, system compromise, or unauthorized access to the affected devices and potentially the broader network infrastructure.
Remediation
- To address this critical vulnerability, the following steps are recommended:
- 1. Immediately update affected Fortinet FortiFone devices to the latest available version that addresses this vulnerability.
- 2. If immediate updating is not possible, consider temporarily isolating affected devices from the network or implementing strict access controls.
- 3. Monitor system logs for any suspicious activities or unauthorized access attempts.
- 4. Conduct a thorough security audit of affected systems to ensure no unauthorized changes have been made to configurations.
- 5. Implement network segmentation to limit potential impact if exploitation occurs.
- 6. Strengthen authentication mechanisms and implement multi-factor authentication where possible.
- 7. Regularly review and update security policies and practices, especially those related to device configuration and access control.
- It is crucial to stay informed about any additional guidance or patches released by Fortinet regarding this vulnerability.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
