Fortinet released 14 new security advisories, with the most critical addressing CVE-2025-25256 a FortiSIEM vulnerability that enables unauthenticated remote attackers to execute arbitrary code or commands via specially crafted CLI requests. The company confirmed that a working exploit exists in the wild. however, while no malicious exploitation has been reported, a public proof-of-concept (PoC) is already available.

‍

Technical Description

Fortinet has announced and addressed multiple security issues affecting FortiOS, FortiProxy, FortiPAM, FortiManager, FortiAnalyzer, FortiSIEM, and other products. These vulnerabilities range from arbitrary file overwrite, authentication bypass, and privilege escalation to integer overflow, denial-of-service, and remote command injection—some of which are already being exploited in the wild, particularly CVE-2025-25256 in FortiSIEM. If unpatched, these flaws could enable remote code execution, data breaches, integrity violations, privilege misuse, or complete service disruption.

‍

‍

Arbitrary File Overwrite via Path Traversal (CWE-22) – CVE-2024-52964:

An arbitrary file overwrite vulnerability exists in the FGFMd component of FortiManager and FortiManager Cloud. This flaw allows attackers to manipulate pathnames to overwrite files on the system, potentially leading to configuration tampering or service disruption.

‍

Relative Path Traversal (CWE-23) – CVE-2024-40588:

Multiple relative path traversal vulnerabilities were identified in the CLI of FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice. These vulnerabilities allow attackers to manipulate file paths, read or write unintended files, and potentially access sensitive system areas.

‍

Authentication Bypass (CWE-233, CWE-288) – CVE-2025-52970 / CVE-2024-26009

Authentication bypass flaws exist in FortiWeb and in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. Attackers may exploit improper handling of parameters or alternate access paths to bypass authentication, allowing unauthorized access and potential administrative privilege escalation.

‍

OS Command Injection (CWE-78) – CVE-2025-27759 / CVE-2025-47857 / CVE-2025-49813 / CVE-2025-25256:

OS command injection vulnerabilities affect the CLI and GUI of FortiWeb, FortiADC, and FortiSIEM. Exploitation allows attackers to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise. In FortiSIEM, this can be performed without authentication, increasing the severity.

‍

Double Free (CWE-415) – CVE-2023-45584:

A double free vulnerability was found in the automation-stitch feature of FortiOS, FortiProxy, and FortiPAM. Improper memory handling can result in application crashes, unexpected behavior, or potential remote code execution under certain conditions.

‍

Incorrect Privilege Assignment (CWE-266) – CVE-2025-53744:

A privilege misconfiguration issue in FortiOS Security Fabric could allow users to obtain higher privileges than intended, enabling unauthorized administrative actions and potential misuse of system controls.

‍

Integer Overflow (CWE-190) – CVE-2025-25248:

An integer overflow vulnerability affects SSL-VPN bookmarks in FortiOS, FortiPAM, and FortiProxy. Exploitation may lead to denial of service or, under certain conditions, arbitrary code execution.

Stack Buffer Overflow (CWE-121) – CVE-2025-32766:

A stack-based buffer overflow was identified in FortiWeb’s CLI. This flaw can be exploited to crash the application or execute arbitrary code with elevated privileges.

‍

Cross-Site Scripting (CWE-79) – CVE-2025-32932:

A reflected XSS vulnerability exists in FortiSOAR service requests. Attackers could inject malicious scripts that execute in the victim’s browser, potentially leading to credential theft, session hijacking, or unauthorized actions in the application interface.

‍

Affected Products:

• FortiOS (multiple branches 6.0, 6.2, 6.4, 7.0, 7.2, 7.4, 7.6)
• FortiWeb (versions 7.0, 7.2, 7.4, 7.6)
• FortiManager (6.4, 7.0, 7.2, 7.4, 7.6)
• FortiManager Cloud (7.0, 7.2, 7.4)
• FortiProxy (7.0, 7.2, 7.4, 7.6)
• FortiPAM (1.0, 1.1, 1.2, 1.3, 1.4, 1.5)
• FortiSIEM (5.4, 6.1–6.7, 7.0–7.3)
• FortiADC (6.2, 7.1.0–7.1.1, 7.2.0)
• FortiSOAR (7.3–7.6)
• FortiMail (6.4, 7.0, 7.2, 7.4, 7.6)
• FortiVoice (6.0, 6.4, 7.0)
• FortiRecorder (6.4, 7.0, 7.2)
• FortiCamera (2.0, 2.1)
• FortiNDR (7.0, 7.1, 7.2, 7.4, 7.6)

‍

Patched Products / Fixed Versions

• FortiOS: 6.4.16+, 6.2.17+, 7.0.14+, 7.0.16+, 7.2.9+, 7.2.10+, 7.2.11+, 7.4.3+, 7.4.4+, 7.4.8+,7.6.3+
• FortiWeb: 7.0.11+, 7.2.11+, 7.4.8+, 7.4.9+, 7.6.4+, 7.6.5+
• FortiManager: 7.0.14+, 7.2.10+, 7.2.11+, 7.4.6+, 7.4.7+, 7.6.2+, 7.6.3+
• FortiManager Cloud: 7.0.x fixed release, 7.2.10+, 7.4.6+
• FortiProxy: 7.0.x fixed release, 7.2.x fixed release, 7.4.3+, 7.4.4+, 7.6.3+
• FortiPAM: 1.4.3+, 1.5.1+ (others require migration to fixed release)
• FortiSIEM: 6.7.10+, 7.0.4+, 7.1.8+, 7.2.6+, 7.3.2+
• FortiADC: 7.1.2+, 7.2.1+
• FortiSOAR: 7.5.2+, 7.6.1+, 7.6.2+
• FortiMail: 7.0.10+, 7.2.x fixed release, 7.4.4+, 7.6.2+
• FortiVoice: 6.4.12+, 7.0.8+
• FortiRecorder: 7.0.5+, 7.2.2+
• FortiCamera: 2.0.1+
• FortiNDR: 7.4.7+, 7.6.1+

‍

Conclusion:

These vulnerabilities present significant security risks, capable of compromising confidentiality (through authentication bypass, path traversal, and OS command injection), undermining integrity (via file overwrites, privilege escalation, and integer overflow), and impacting availability (through denial-of-service conditions caused by double free, buffer overflows, and memory corruption). The confirmed active exploitation of CVE-2025-25256 in FortiSIEM notably elevates the threat level, making immediate remediation and patch deployment critical to reduce exposure.

Impact

The newly disclosed Fortinet vulnerabilities could allow attackers to gain unauthorized access, execute arbitrary commands remotely, and escalate privileges across affected systems. Successful exploitation may lead to data theft, service disruption, or complete system compromise. Active exploitation of CVE-2025-25256 in the wild further increases the urgency of addressing these flaws. Without prompt remediation, organizations face heightened risks to their confidentiality, integrity, and availability.

IOC and Context Details

Recommended Actions

• Apply vendor-released patches immediately or upgrade to the secure versions for all affected products.
• Limit network access to management interfaces and sensitive service ports such as FGFM
• Review and tighten administrative privilege assignments and Security Fabric device registrations to prevent unauthorized privilege escalation.
• Continuously monitor for unusual FGFM and CLI activity, with particular focus on FortiSIEM environments.
• Implement intrusion detection signatures to identify exploitation attempts targeting CVE-2025-25256.

‍

References

https://www.fortiguard.com/psirt