FortiPortal<7.4.2 Improper Path Resolution via HTTP requests
CVE-2025-24470 Published on February 11, 2025
An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests.
Vulnerability Analysis
CVE-2025-24470 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Improper Resolution of Path Equivalence
The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.
Products Associated with CVE-2025-24470
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-24470 are published in Fortinet Fortiportal:
Affected Versions
Fortinet FortiPortal:- Version 7.4.0, <= 7.4.2 is affected.
- Version 7.2.0, <= 7.2.6 is affected.
- Version 7.0.0, <= 7.0.11 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.