FortiOS and FortiSwitchManager Code Execution Vulnerability (CVE-2025-25249)
Fortinet Product Security Team discovered a security vulnerability impacting FortiOS and FortiSwitchManager. Tracked as CVE-2025-25249, the vulnerability is a high-severity issue with a CVSS score of 7.3.
The heap-based buffer overflow vulnerability exists in FortiOS and FortiSwitchManager cw_acd daemon. The vulnerability may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
The brain of Fortinet Security Fabric is its network operating system, FortiOS. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise.
FortiSwitch Manager (FSWM) is an on-premises management platform by Fortinet designed to simplify the deployment and management of large-scale FortiSwitch Ethernet networks as a standalone solution, without requiring a FortiGate firewall. It provides centralized control and a consistent user experience with other Fortinet products.
Affected and Patched Versions
| Version | Affected | Fixed |
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.16 | Upgrade to the upcoming 6.4.17 or above |
| FortiSASE 25.2 | 25.2.b | Fortinet remediated this issue in version 25.2.c, and therefore, customers do not need to take any action. |
| FortiSASE 25.1.a | 25.1.a.2 | Migrate to a fixed release |
| FortiSASE 24.4 | Not affected | Not Applicable |
| FortiSASE 23.3 | Not affected | Not Applicable |
| FortiSASE 23.2 | Not affected | Not Applicable |
| FortiSASE 23.1 | Not affected | Not Applicable |
| FortiSASE 22 | Not affected | Not Applicable |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
Please refer to the Fortinet PSIRT Advisory (FG-IR-25-084) for more information.
Workaround
For each interface, remove “fabric” access. For example, change:
config system interface edit "port1" set allowaccess fabric ssh https next end
to:
config system interface edit "port1" set allowaccess ssh https next end
or disallow access to the capwap daemon:
For each interface with the “fabric” service, block CAPWAP-CONTROL access to ports 5246-5249 through a local-in policy.
config firewall service custom edit "CAPWAP-CONTROL" set udp-portrange 5246-5249 next end config firewall addrgrp edit "CAPWAP_DEVICES_IPs" set member "my_allowed_addresses" end config firewall local-in-policy edit 1 (allow from trusted devices) set intf "port1" (where fabric is enabled) set srcaddr "CAPWAP_DEVICES_IPs" set dstaddr "all" set service "CAPWAP-CONTROL" set schedule "always" set action accept next edit 2 (block everyone else) set intf "port1" (where fabric is enabled) set srcaddr "all' set dstaddr "all" set service "CAPWAP-CONTROL" set schedule "always" set action deny next end
Qualys Detection
Qualys customers can scan their devices with QID 44891 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
Reference
https://fortiguard.fortinet.com/psirt/FG-IR-25-084
Comments are closed.