Cyber Posture

CVE-2025-48418

Medium

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48418 is a medium-severity Hidden Functionality (CWE-912) vulnerability in Fortinet Fortimanager. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-8 System Component Inventory
addresses: CWE-912

Documenting every system component at the required granularity and reviewing the inventory detects or prevents hidden functionality from remaining undetected.

CP-10 System Recovery and Reconstitution
addresses: CWE-912

Recovery eliminates hidden functionality or backdoors introduced during compromise.

PM-30 Supply Chain Risk Management Strategy
addresses: CWE-912

Policy requires supplier transparency and testing to detect hidden functionality or backdoors inserted in the supply chain.

PS-2 Position Risk Designation
addresses: CWE-912

Screening high-risk technical positions lowers the probability that hidden functionality or backdoors will be added by authorized personnel.

RA-10 Threat Hunting
addresses: CWE-912

Hunting identifies hidden functionality used for persistence or evasion after initial compromise.

RA-6 Technical Surveillance Countermeasures Survey
addresses: CWE-912

TSCM surveys discover and eliminate hidden surveillance functionality that would otherwise remain undetected in the environment.

SA-10 Developer Configuration Management
addresses: CWE-912

Change control, approval gates, and flaw tracking force hidden functionality to be either documented or discovered and removed.

SA-12 Supply Chain Protection
addresses: CWE-912

Vetting and integrity controls during acquisition reduce the likelihood of hidden backdoors or malicious functionality introduced by suppliers.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Hidden CLI command enables authenticated read-only admin to escalate privileges via direct exploitation of the backdoor functionality.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A hidden functionality vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.0 through 7.2.10, FortiAnalyzer 7.0.0 through 7.0.14, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7, FortiAnalyzer Cloud 7.2.1 through 7.2.10, FortiAnalyzer…

more

Cloud 7.0.1 through 7.0.14, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.0 through 7.2.10, FortiManager 7.0.0 through 7.0.14, FortiManager 6.4 all versions, FortiManager Cloud 7.6.2 through 7.6.3, FortiManager Cloud 7.4.1 through 7.4.7, FortiManager Cloud 7.2.1 through 7.2.10, FortiManager Cloud 7.0.1 through 7.0.14, FortiManager Cloud 6.4 all versions may allow a remote authenticated read-only admin with CLI access to escalate their privilege via use of a hidden command.

Deeper analysisAI

CVE-2025-48418 is a hidden functionality vulnerability (CWE-912) affecting multiple versions of Fortinet FortiAnalyzer and FortiManager products, including both on-premises and Cloud deployments. Specifically, it impacts FortiAnalyzer 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, 7.0.0 through 7.0.14, and 6.4 all versions; FortiAnalyzer Cloud 7.6.2, 7.4.1 through 7.4.7, 7.2.1 through 7.2.10, 7.0.1 through 7.0.14, and 6.4 all versions; FortiManager 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, 7.0.0 through 7.0.14, and 6.4 all versions; and FortiManager Cloud 7.6.2 through 7.6.3, 7.4.1 through 7.4.7, 7.2.1 through 7.2.10, 7.0.1 through 7.0.14, and 6.4 all versions. The vulnerability has a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A remote authenticated read-only administrator with CLI access can exploit this vulnerability by using a hidden command to escalate privileges. The attack requires local access vectors as per the CVSS assessment, low complexity, high privileges for initial access, and no user interaction, potentially leading to high confidentiality, integrity, and availability impacts.

Fortinet's PSIRT advisory (FG-IR-26-081) provides details on mitigation and patching; security practitioners should consult this reference for specific remediation steps.

Details

CWE(s)
CWE-912

Affected Products

fortinet
fortimanager
6.4.0 — 7.0.15 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.8
fortinet
fortimanager cloud
6.4.1 — 7.0.15 · 7.2.1 — 7.2.11 · 7.4.1 — 7.4.8
fortinet
fortianalyzer
6.4.0 — 7.0.15 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.8
fortinet
fortianalyzer cloud
7.6.2 · 6.4.1 — 7.0.15 · 7.2.1 — 7.2.11 · 7.4.1 — 7.4.8

CVEs Like This One

CVE-2025-68648Same product: Fortinet Fortianalyzer
CVE-2024-35275Same product: Fortinet Fortianalyzer
CVE-2024-45331Same product: Fortinet Fortianalyzer
CVE-2024-46662Same product: Fortinet Fortimanager
CVE-2024-35273Same product: Fortinet Fortianalyzer
CVE-2024-33503Same product: Fortinet Fortianalyzer
CVE-2024-50563Same product: Fortinet Fortianalyzer
CVE-2025-61848Same product: Fortinet Fortianalyzer
CVE-2024-35276Same product: Fortinet Fortianalyzer
CVE-2024-40584Same product: Fortinet Fortianalyzer

References