Summary

A critical heap-based buffer overflow vulnerability, identified as CVE-2025-25249, has been discovered in multiple Fortinet products, including FortiOS and FortiSwitchManager. This vulnerability allows unauthenticated remote attackers to execute arbitrary code or commands on affected systems, posing a significant threat to the confidentiality, integrity, and availability of the impacted infrastructure. As of the latest information, there is no public proof-of-concept exploit available. However, the potential for exploitation remains high due to the nature of the vulnerability.

Affected Systems and/or Applications

The vulnerability affects the following Fortinet products and versions:

• FortiOS:
  
  • Versions 6.4.0 through 6.4.16
  • Versions 7.0.0 through 7.0.17
  • Versions 7.2.0 through 7.2.11
  • Versions 7.4.0 through 7.4.8
  • Versions 7.6.0 through 7.6.3
• FortiSwitchManager:
  
  • Versions 7.0.0 through 7.0.5
  • Versions 7.2.0 through 7.2.6
• FortiSASE:
  
  • Version 25.1.a.2
  • Version 25.2.b

You can also use the following Nessus plugin to test your Fortinet Fortigate to see if this is vulnerable.

Technical Details

The vulnerability resides in the cw_acd daemon of the affected Fortinet products. It is classified under CWE-122: Heap-based Buffer Overflow. This flaw can be exploited by sending specially crafted network packets to the vulnerable system, allowing attackers to execute unauthorized code or commands. The attack does not require authentication or user interaction, and the complexity is rated as high.

Mitigation

Fortinet has released patches to address this vulnerability. It is strongly recommended that organizations apply the following updates immediately to mitigate potential exploitation risks:

• FortiOS:
  
  • Upgrade to version 6.4.17 or later
  • Upgrade to version 7.0.18 or later
  • Upgrade to version 7.2.12 or later
  • Upgrade to version 7.4.9 or later
  • Upgrade to version 7.6.4 or later
• FortiSwitchManager:
  
  • Upgrade to version 7.0.6 or later
  • Upgrade to version 7.2.7 or later
• FortiSASE:
  
  • Migrate to a fixed release for version 25.1.a.2
  • Upgrade to version 25.2.c or later for version 25.2.b

For organizations unable to apply patches immediately, temporary workarounds include removing "fabric" access from system interfaces:

config system interface
edit "port1"
set allowaccess fabric ssh https
next
end

to

config system interface
edit "port1"
set allowaccess ssh https
next
end

and implementing local firewall policies to block CAPWAP-CONTROL traffic to UDP ports 5246-5249.

config firewall service custom
edit "CAPWAP-CONTROL"
set udp-portrange 5246-5249
next
end
config firewall addrgrp
edit "CAPWAP_DEVICES_IPs"
set member "my_allowed_addresses"
end
config firewall local-in-policy
edit 1 (allow from trusted devices)
set intf "port1" (where fabric is enabled)
set srcaddr "CAPWAP_DEVICES_IPs"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action accept
next
edit 2 (block everyone else)
set intf "port1" (where fabric is enabled)
set srcaddr "all'
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action deny
next
end

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed.

References

• Fortinet PSIRT Advisory FG-IR-25-084
• Tenable CVE-2025-25249