PSIRT Insecure Exposure of Plaintext Passwords in Debug Logs Summary A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiMail, FortiVoice and FortiRecorder debug logs may allow an authenticated malicious administrator to obtain user's secrets via CLI commands. Version Affected Solution FortiMail 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above FortiMail 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiMail 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above FortiMail 7.0 7.0.0 through 7.0.8 Upgrade to 7.0.9 or above FortiRecorder 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above FortiRecorder 7.0 7.0 all versions Migrate to a fixed release FortiRecorder 6.4 6.4 all versions Migrate to a fixed release FortiVoice 7.4 Not affected Not Applicable FortiVoice 7.2 7.2.0 Upgrade to 7.2.1 or above FortiVoice 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above Acknowledgement Discovered during an independent audit commissioned by Fortinet. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-080 Published Date Mar 10, 2026 Component CLI Severity Low CVSSv3 Score 3.8 Impact Information disclosure CVE ID CVE-2025-55717 Download CVRF CSAF