Fortinet: Critical vulnerabilities in FortiOS, FortiSIEM and more
Fortinet has released updates addressing multiple critical and high-severity security vulnerabilities across FortiSIEM, FortiFone, FortiOS, FortiSASE, and FortiSwitchManager. Vulnerabilities in Fortinet products are frequently targeted by attackers; organizations should prioritize applying these patches.
Critical issues
FortiSIEM – Remote command injection (CVE-2025-64155)
CVSS 9.4 – Critical. Unauthenticated attackers on the network can inject arbitrary commands and code via specially crafted TCP requests, due to insufficient filtering of input used in operating system commands.
Fixed in: FortiSIEM 7.4.1, 7.3.5, 7.2.7, and 7.1.9. Older versions must migrate to a fixed release.
FortiFone – Unauthenticated access to sensitive data (CVE-2025-47855)
CVSS 9.3 – Critical. Unauthenticated attackers can obtain sensitive information from the FortiFone web portal via manipulated HTTP or HTTPS requests, without logging in.
Fixed in: FortiFone 7.0.2 and 3.0.24 or newer.
High severity
FortiOS, FortiSASE, FortiSwitchManager – Heap buffer overflow (CVE-2025-25249)
CVSS 7.4 – High. Specially crafted requests to the cw_acd daemon can trigger a heap-based buffer overflow; unauthenticated network attackers may achieve code execution.
Temporary mitigation: Remove "fabric" access on all interfaces where feasible.
Fixed in: FortiOS 7.6.4, 7.4.9, 7.2.12, 7.0.18, 6.4.17; FortiSASE 25.2.c; FortiSwitchManager 7.2.7 and 7.0.6 or newer. FortiSASE 25.1.a.2 is affected; migration to 25.2.c is required.
Fortinet has also addressed additional medium- and low-severity issues in FortiClientEMS, FortiVoice, and FortiSandbox. Security teams should verify product versions against the official advisories and schedule updates promptly.
Source: FortiGuard PSIRT – FG-IR-25-772 (Unauthenticated remote command injection)