Unverified Password Change

CVE-2025-59808

Medium

6.8/10

Summary

An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-620 - Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

References

Advisory Timeline

Published Dec 09, 2025

Unverified Password Change

CVE-2025-59808

Summary

CWE-620 - Unverified Password Change

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS