Plattform
fortinet
Komponente
fortidlp-agent-s-outlookproxy-plugin
Behoben in
11.5.2
11.4.7
11.3.5
11.2.4
11.2.1
11.1.3
11.0.2
10.5.2
10.4.1
10.3.2
CVE-2025-54658 describes a Path Traversal vulnerability discovered in the Outlookproxy plugin of the FortiDLP Agent for MacOS. This flaw allows an authenticated attacker to escalate their privileges to root on the affected system. The vulnerability impacts versions 10.3.1 through 11.5.1 of the FortiDLP Agent, and a fix is available in version 11.5.2.
Successful exploitation of CVE-2025-54658 allows an authenticated attacker to gain root privileges on the affected MacOS system. This represents a significant escalation of privileges, granting the attacker complete control over the system. The attacker could then install malware, steal sensitive data, modify system configurations, or pivot to other systems on the network. The vulnerability's reliance on a crafted request suggests a targeted attack scenario, potentially leveraging existing authentication mechanisms within the FortiDLP Agent. While the vulnerability is specific to the Outlookproxy plugin, the root privilege escalation has a broad blast radius, impacting the entire system.
CVE-2025-54658 was publicly disclosed on 2025-10-16. Its severity is rated HIGH (CVSS 7.2). There are currently no publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog as of this writing. Given the potential for root privilege escalation, this vulnerability warrants immediate attention and patching.
Organizations deploying FortiDLP Agent for MacOS, particularly those with sensitive data or critical infrastructure, are at risk. Shared hosting environments where multiple users share the same FortiDLP Agent instance are also particularly vulnerable, as a compromised user account could be leveraged to escalate privileges and impact other users.
• macos: Use ls -la /path/to/plugin/ to check for suspicious files or directories created by an attacker.
• macos: Monitor system logs (Console.app) for unusual network activity or attempts to access restricted directories.
• fortinet: Review Fortinet's security advisories and threat intelligence feeds for updates related to this vulnerability.
• macos: Use sudo dtrace -n 'trace('process_open', filter=/path/to/plugin/)' to monitor file access attempts to the plugin directory.
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-54658 is to upgrade the FortiDLP Agent to version 11.5.2 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing network segmentation to restrict access to the Outlookproxy plugin. Monitor network traffic for suspicious requests targeting the plugin's listening port. While a WAF or proxy cannot directly prevent this path traversal, it can be configured to block requests containing unusual or unexpected path components. After upgrading, verify the fix by attempting to access restricted files via the Outlookproxy plugin with a crafted request; access should be denied.
Actualice FortiDLP Agent a una versión posterior a 11.5.1. Consulte el advisory de Fortinet (FG-IR-25-628) para obtener más detalles e instrucciones específicas de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-54658 is a Path Traversal vulnerability in the FortiDLP Agent's Outlookproxy plugin for MacOS, allowing privilege escalation to root. It affects versions 10.3.1–11.5.1.
You are affected if you are running FortiDLP Agent for MacOS versions 10.3.1 through 11.5.1. Check your version and upgrade if necessary.
Upgrade to FortiDLP Agent version 11.5.2 or later to remediate the vulnerability. Consider network segmentation as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's nature suggests it could be easily exploited once a proof-of-concept is released.
Refer to the official Fortinet security advisory for CVE-2025-54658 on the Fortinet support website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.