Fortinet closes security vulnerabilities in FortiOS, FortiSIEM, and more
Fortinet released updates for FortiOS and other products on Wednesday night. They fix, in some cases critical, vulnerabilities.
(Image: heise online / dmk)
Fortinet is distributing updated software to close, in some cases critical, security vulnerabilities in FortiSIEM and FortiFone, among others. IT managers should install them quickly, as vulnerabilities in Fortinet products are frequently targeted by cybercriminals.
In FortiSIEM, attackers from the network can inject arbitrary commands and code via specifically prepared TCP requests (CVE-2025-64155, CVSS 9.4, Risk “critical”). The reason is insufficient filtering of elements used in operating system commands. Versions FortiSIEM 7.4.1, 7.3.5, 7.2.7, and 7.1.9 correct the errors. Those using older versions must migrate to one of the error-corrected versions. FortiFone 7.0.2 and 3.0.24 or newer also plug a gap through which unauthorized attackers can spy out sensitive information from the FortiFone web portal via manipulated HTTP or HTTPS requests – without having to log in first (CVE-2025-47855, CVSS 9.3, Risk “critical”).
Further security vulnerabilities
Updates in FortiOS and FortiSwitchManager plug a high-risk security vulnerability. With prepared requests to the cw_acd daemon, unauthenticated attackers from the network can provoke a heap-based buffer overflow. Injected malicious code can then be executed (CVE-2025-25249, CVSS 7.4, Risk “high”).
As a temporary measure, administrators can remove “fabric” access on all interfaces. Versions FortiOS 7.6.4, 7.4.9, 7.2.12, 7.0.18, and 6.4.17, FortiSASE 25.2.c, and FortiSwitchManager 7.2.7 and 7.0.6 or newer correctly seal the security leak. FortiSASE 25.1.a.2 is vulnerable, but migration to 25.2.c is required to fix the vulnerability.
In addition, Fortinet is correcting other security-relevant errors with medium or low-risk ratings in FortiClientEMS, FortiVoice, and FortiSandbox.
Videos by heise
The list of individual security advisories:
- FortiSIEM Unauthenticated remote command injection, CVE-2025-64155, CVSS 9.4, Risk “critical”
- FortiFone Unauthenticated access to local configuration, CVE-2025-47855, CVSS 9.3, Risk “critical”
- FortiOS, FortiSASE, FortiSwitchManager Heap-based buffer overflow in cw_acd daemon, CVE-2025-25249, CVSS 7.4, Risk “high”
- FortiClientEMS Authenticated SQL injection in API endpoint, CVE-2025-59922, CVSS 6.8, Risk “medium”
- FortiVoice Arbitrary file deletion in administrative interface, CVE-2025-58693, CVSS 5.7, Risk “medium”
- FortiSandbox SSRF in GUI console, CVE-2025-67685, CVSS 3.4, Risk “low”
Fortinet security vulnerabilities are repeatedly targeted by attackers. Last week, the US IT security authority CISA warned, for example, about ongoing internet attacks on a critical security vulnerability from 2020. In mid-December, there were also attacks in the wild on a vulnerability in the single sign-on of FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.
(dmk)
