VYPR
← All advisories
Medium severity5.8NVD Advisory· Published Mar 10, 2026· Updated Apr 9, 2026

CVE-2025-54659

CVE-2025-54659

Description

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] vulnerability in Fortinet FortiSOAR Agent Communication Bridge 1.1.0, FortiSOAR Agent Communication Bridge 1.0 all versions may allow an unauthenticated attacker to read files accessible to the fortisoar user on a system where the agent is deployed, via sending a crafted request to the agent port.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal in FortiSOAR Agent Communication Bridge allows unauthenticated attackers to read arbitrary files as the fortisoar user.

Vulnerability

Details An Improper Limitation of a Pathname to a Restricted Directory (CWE-22) vulnerability exists in FortiSOAR Agent Communication Bridge versions 1.0 and 1.1.0. The root cause is insufficient validation of user-supplied pathnames, enabling path traversal attacks.

Exploitation

An unauthenticated attacker can exploit this by sending a specially crafted request to the agent communication port. No authentication is required, and the attack complexity is low.

Impact

Successful exploitation allows the attacker to read any file that the fortisoar user has access to on the system where the agent is deployed. This could expose sensitive configuration files, credentials, or other confidential data.

Mitigation

Fortinet has released FortiSOAR Agent Communication Bridge 1.1.1 which fixes this vulnerability. Users on version 1.1.0 should upgrade, and those on 1.0 should migrate to a fixed release. Refer to the advisory [1] for details.

References
  1. PSIRT | FortiGuard Labs

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Fortinet/Fortisoar Agent Communication Bridge3 versions
    cpe:2.3:a:fortinet:fortisoar_agent_communication_bridge:1.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:fortinet:fortisoar_agent_communication_bridge:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:fortinet:fortisoar_agent_communication_bridge:1.1:*:*:*:*:*:*:*
    • (no CPE)range: <=1.1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.