CVE-2025-47855

CRITICAL

Fortinet FortiFone <7.0.2 - Info Disclosure

Title source: llm

Description

An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests.

References (1)

[Various Sources] https://fortiguard.fortinet.com/psirt/FG-IR-25-260

Scores

CVSS v3 9.8

EPSS 0.0123

EPSS Percentile 79.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-200

Status published

Products (2)

Fortinet/FortiFone 3.0.13 - 3.0.23

Fortinet/FortiFone 7.0.0 - 7.0.1

Published Jan 13, 2026

Tracked Since Feb 18, 2026