CVE Alert: CVE-2025-53951 – Fortinet – FortiDLP
CVE-2025-53951
An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability [CWE-22] in Fortinet FortiDLP Agent’s Outlookproxy plugin for Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.1 through 11.1.2 and 11.0.1 and 10.5.1 and 10.4.0, and 10.3.1 may allow an authenticated attacker to escalate their privilege to LocalService via sending a crafted request to a local listening port.
AI Summary Analysis
Risk verdict
Moderate risk to affected deployments with local privilege escalation potential; patching should be planned promptly, though no active exploitation signals are evident.
Why this matters
An authenticated user can exploit a local path traversal flaw in the FortiDLP Agent’s Outlookproxy plugin to elevate to LocalService, potentially manipulating sensitive processing on endpoints. In environments relying on FortiDLP with Outlook integration, this can undermine data handling and trust boundaries on affected Windows hosts.
Most likely attack path
Attacker must have validated access to the host and can send a crafted request to a local listening port used by the Outlookproxy component. Successful exploitation grants LocalService privileges, enabling limited post-exploitation actions within the host. The vulnerability is local with no user interaction required and a scope that remains on the same device, making lateral movement controllable but still risky if an adversary already has foothold.
Who is most exposed
Endpoints where FortiDLP Agent and the Outlookproxy plugin are installed on Windows, particularly in organisations tightly integrated with Microsoft Outlook workflows and data-loss protection policies.
Detection ideas
- Monitor for anomalous requests to the local FortiDLP Outlookproxy port (localhost/127.0.0.1).
- Look for privilege-escalation patterns targeting LocalService ownership or unexpected process spawns from FortiDLP components.
- Correlate FortiDLP and Windows security logs for unusual file access or traversal attempts on agent-protected paths.
- Detect repeated or crafted requests that precede service privilege changes.
- Flag unexpected network activity from hosts with FortiDLP Outlookproxy enabled.
Mitigation and prioritisation
- Patch to FortiDLP 12.0.0 or above; schedule coordinated rollout across endpoints.
- Restrict local port exposure and validate the necessity of the Outlookproxy plugin; disable where not needed.
- Apply least-privilege principles to FortiDLP Agent and its service account; audit service permissions.
- Enhance monitoring around FortiDLP components and LocalService privilege changes; implement real-time alerts.
- Plan change-management communications and test in a staging environment before production deployment.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
