Insertion of Sensitive 2FA Information in logs and debug command

Low RiskCVSS 2.6FG-IR-24-452Oct 14, 2025

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Plain text 2FA-related sensitive information (tokens, backup codes) is stored in debug logs and device logs in FortiOS and FortiProxy. An administrator with access to logs or debug output can view unencrypted 2FA secrets. Affected versions include FortiOS 7.6.0–7.6.3, 7.4, 7.2, 7.0, 6.4, and FortiProxy 7.6.0–7.6.3, 7.4.0–7.4.13, 7.2, 7.0. Fixed versions are FortiOS 7.6.4+ and FortiProxy 7.6.4+, 7.4.14+; older version lines (7.4, 7.2, 7.0, 6.4 FortiOS; 7.2, 7.0 FortiProxy) require migration to a supported release.

What this means

What could happen

An administrator with access to device logs or debug output could view two-factor authentication secrets and backup codes, potentially allowing account takeover. This creates a secondary exposure path if log files are not properly protected.

Who's at risk

Operators of Fortinet FortiOS and FortiProxy appliances used as edge firewalls, VPN gateways, or authentication servers in utility and critical infrastructure networks. Risk is heightened in environments where administrative accounts are widely shared, logs are centrally collected, or security staff have high turnover.

How it could be exploited

An attacker with administrative access to the device (or access to collected logs/debug files) could view unencrypted 2FA tokens and backup codes stored in plain text. These credentials could then be used to bypass authentication on accounts protected by that device.

Prerequisites

Administrative access to FortiOS or FortiProxy device or its logs
Access to debug output or log files stored on the device or exported to external systems
Knowledge of which accounts use the exposed 2FA credentials

Information disclosure from logs and debug outputRequires high-privilege access (administrative credentials)Older versions have no vendor patch availableCould enable account takeover if 2FA credentials are exposed

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

FortiOS7.6.0 - 7.6.37.6.4+

FortiOS7.4 all versionsMigrate to fixed release

FortiOS7.2 all versionsMigrate to fixed release

FortiOS7.0 all versionsMigrate to fixed release

FortiOS6.4 all versionsMigrate to fixed release

FortiProxy7.6.0 - 7.6.37.6.4+

FortiProxy7.4.0 - 7.4.137.4.14+

FortiProxy7.2 all versionsMigrate to fixed release

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDDisable debug logging on production devices or ensure debug output is not exported to unencrypted storage

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS to 7.6.4 or later if running 7.6.0–7.6.3

HOTFIXFor FortiOS versions 7.4, 7.2, 7.0, and 6.4 with no available patch, plan migration to a supported and patched release

FortiProxy

HOTFIXUpdate FortiProxy to 7.6.4 or later if running 7.6.0–7.6.3

HOTFIXUpdate FortiProxy to 7.4.14 or later if running 7.4.0–7.4.13

Long-term hardening

0/1

HARDENINGRestrict administrative access to Fortinet devices and log files to only authorized personnel with documented need

CVEs (1)

CVE-2025-31514

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3785628b-d910-40e2-ab2f-3a8104dcfb7e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.