Fortinet FortiOS/FortiSwitchManager Heap Buffer Overflow Enabling Remote Code Execution
Fortinet disclosed a critical heap-based buffer overflow (CWE-122) in the cw_acd daemon affecting FortiOS and FortiSwitchManager, which can allow remote, unauthenticated attackers to execute arbitrary code or commands via specially crafted network traffic. Impacted versions span multiple FortiOS branches (6.4 through 7.6), along with FortiSASE and FortiSwitchManager releases; Fortinet advised immediate upgrades (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+, 6.4.17+; FortiSwitchManager 7.2.7+ and 7.0.6+), and noted FortiSASE 25.2.b is remediated in 25.2.c. The issue was reported as discovered internally by Fortinet’s product security team, and public reporting indicated no CVE was initially listed at publication time.
Separately, Fortinet also disclosed a low-severity SSRF in FortiSandbox tracked as CVE-2025-67685 (FG-IR-25-783), where an authenticated, high-privilege user can craft GUI-driven HTTP requests to proxy traffic to internal plaintext endpoints (CWE-918). While this SSRF could enable internal service exposure or pivoting in segmented environments, it requires privileged access and was not reported as actively exploited; Fortinet recommended upgrading FortiSandbox (e.g., 5.0.5+ for 5.0.0–5.0.4) and migrating off legacy 4.x branches. For the FortiOS/FortiSwitchManager RCE, interim mitigations included removing fabric access from interfaces and restricting CAPWAP-CONTROL (UDP 5246–5249) to trusted sources via local-in policies.
Timeline
Jan 13, 2026
CVE-2025-25249 is published for Fortinet heap overflow flaw
The vulnerability was cataloged as CVE-2025-25249, describing a heap-based buffer overflow in FortiOS, FortiSASE, and FortiSwitchManager that can be triggered by specially crafted packets. Public CVE details stated that successful exploitation could allow unauthorized code or command execution on affected systems.
Jan 13, 2026
Fortinet discloses critical FortiOS and FortiSwitchManager vulnerability
On January 13, 2026, Fortinet publicly disclosed the critical vulnerability affecting multiple FortiOS branches, certain FortiSASE releases, and multiple FortiSwitchManager versions. The company published fixed versions and urged customers to patch immediately because exposed fabric interfaces could lead to full system compromise.
Jan 13, 2026
Fortinet internally discovers heap overflow in cw_acd daemon
Fortinet Product Security Team member Gwendal Guégniaud identified a heap-based buffer overflow in the cw_acd daemon affecting FortiOS and FortiSwitchManager. The flaw could be triggered by specially crafted network packets to enable remote code or command execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Fortinet patches multiple vulnerabilities including FortiManager fgtupdates stack overflow enabling remote command execution
**Fortinet** issued a broad security update addressing **11 vulnerabilities** across products including *FortiManager*, *FortiAnalyzer*, *FortiSwitch*, and *FortiSandbox*, spanning issues such as authentication weaknesses, buffer overflows, OS command injection, and SQL injection. The most operationally significant items include vulnerabilities that could enable **remote command execution** or privilege escalation in unpatched enterprise environments; one highlighted flaw is a stack-based buffer overflow in *FortiManager*’s `fgtupdates` service (**CVE-2025-54820**, Fortinet advisory **FG-IR-26-098**), which can be triggered via crafted requests when the service is enabled. Separate vendor advisories published around the same time cover unrelated products and should not be conflated with Fortinet’s update: **HPE Aruba** patched *AOS-CX* switch OS issues including a critical auth bypass (**CVE-2026-23813**) that can allow unauthenticated attackers to reset admin passwords via the web management interface, while **F5** published “not affected” notices for an **Apache Solr** input-validation issue in the “create core” API (**CVE-2026-22444**) that can lead to unauthorized filesystem path reads (and potential NTLM hash disclosure on Windows with UNC paths), and for an **Intel 800 Series Ethernet** Linux driver input-validation flaw (**CVE-2025-24325**) that may allow local privilege escalation on certain F5 appliance lines.
2 weeks ago
Fortinet Patches Multiple Vulnerabilities Across FortiClient and Other Products
Fortinet released security updates addressing **22 vulnerabilities** across multiple products, including **FortiWeb**, **FortiSwitchAX**, **FortiManager**, and **FortiClient (Linux)**. The issues span multiple bug classes (e.g., **authentication bypass**, **heap-based buffer overflow**, and **cleartext storage of sensitive information**) and could enable outcomes such as security bypass, data tampering, denial-of-service, privilege escalation, information disclosure, and in some cases **unauthorized code/command execution**. Belgium’s CCB urged organizations to patch promptly and noted Fortinet reported **no evidence of active exploitation** at the time of the advisory. One of the patched flaws, **CVE-2026-24018** (CVSS **7.8**), was detailed by the **Zero Day Initiative (ZDI-26-186)** as a **local privilege escalation** vulnerability in *FortiClient*. ZDI reported the flaw stems from handling of certain shared objects: a local attacker with the ability to run low-privileged code can create a **symbolic link** to coerce a service into loading an arbitrary shared object, enabling execution of attacker-controlled code as **root**. Fortinet issued a fix and published vendor guidance under **FG-IR-26-083**.
1 months ago
Critical Fortinet FortiOS and FortiProxy Flaws Enable Remote Compromise
Fortinet disclosed multiple critical vulnerabilities in **FortiOS** and related products, including an authentication bypass in **FortiOS** and **FortiProxy** that can grant attackers **super-admin privileges** and is being **actively exploited in the wild**. The flaw can be triggered through specially crafted requests to the **Node.js websocket module** and affects FortiOS `7.0.0` through `7.0.16`, FortiProxy `7.2.0` through `7.2.12`, and FortiProxy `7.0.0` through `7.0.19`. Organizations were told to upgrade to FortiOS `7.0.17+`, FortiProxy `7.2.13+`, or FortiProxy `7.0.20+`, and to apply Fortinet’s recommended mitigations immediately. Separate Fortinet advisories also warned of critical flaws **CVE-2024-21762** and **CVE-2024-23113**, affecting **FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager**. **CVE-2024-21762** carries a **CVSS 9.6** rating, while **CVE-2024-23113** is rated **CVSS 9.8**; both require urgent patching to fixed versions identified by Fortinet. Fortinet and national cyber authorities said defenders should prioritize upgrades across exposed appliances, and for `CVE-2024-21762`, disabling the **SSL VPN** feature can reduce exposure until patches are applied.
1 weeks ago