Fortinet FortiOS
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Fortinet FortiOS.
Known Exploited Fortinet FortiOS Vulnerabilities
The following Fortinet FortiOS vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability |
Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. CVE-2019-6693 Exploit Probability: 72.2% |
June 25, 2025 |
| Fortinet FortiOS Authorization Bypass Vulnerability |
Fortinet FortiOS contains an authorization bypass vulnerability that may allow an unauthenticated remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. CVE-2024-55591 Exploit Probability: 94.2% |
January 14, 2025 |
| Fortinet FortiOS Out-of-Bound Write Vulnerability |
Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests. CVE-2024-21762 Exploit Probability: 92.9% |
February 9, 2024 |
| Fortinet FortiOS Path Traversal Vulnerability |
Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands. CVE-2022-41328 Exploit Probability: 0.2% |
March 14, 2023 |
| Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability |
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests. CVE-2022-42475 Exploit Probability: 94.0% |
December 13, 2022 |
| Fortinet FortiOS Arbitrary File Download |
Fortinet FortiOS "execute restore src-vis" downloads code without integrity checking, allowing an attacker to arbitrarily download files. CVE-2021-44168 Exploit Probability: 1.4% |
December 10, 2021 |
| Fortinet FortiOS Default Configuration Vulnerability |
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. CVE-2019-5591 Exploit Probability: 48.4% |
November 3, 2021 |
| Fortinet FortiOS SSL VPN 2FA Authentication Vulnerability |
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. CVE-2020-12812 Exploit Probability: 47.0% |
November 3, 2021 |
| Fortinet FortiOS SSL VPN credential exposure vulnerability |
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. CVE-2018-13379 Exploit Probability: 94.5% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited Fortinet FortiOS vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Fortinet FortiOS. Here are some end of life, and end of support dates for Fortinet FortiOS.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 7.6 | January 25, 2029 | July 25, 2027 |
Active
Fortinet FortiOS 7.6 will become EOL in 3 years (in 2029). |
| 7.4 | November 11, 2027 | May 11, 2026 |
Active
Fortinet FortiOS 7.4 will become EOL next year, in November 2027. |
| 7.2 | September 30, 2026 | March 31, 2025 |
EOL This Year
Fortinet FortiOS 7.2 will become EOL this year, in September 2026. |
| 7.0 | September 30, 2025 | March 30, 2024 |
EOL
Fortinet FortiOS 7.0 became EOL in 2025 and supported ended in 2024 |
| 6.4 | September 30, 2024 | March 31, 2023 |
EOL
Fortinet FortiOS 6.4 became EOL in 2024 and supported ended in 2023 |
| 6.2 | September 28, 2023 | March 28, 2022 |
EOL
Fortinet FortiOS 6.2 became EOL in 2023 and supported ended in 2022 |
| 6.0 | September 29, 2022 | March 29, 2021 |
EOL
Fortinet FortiOS 6.0 became EOL in 2022 and supported ended in 2021 |
By the Year
In 2026 there have been 8 vulnerabilities in Fortinet FortiOS with an average score of 6.1 out of ten. Last year, in 2025 FortiOS had 73 security vulnerabilities published. Right now, FortiOS is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.21.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 8 | 6.06 |
| 2025 | 73 | 5.85 |
| 2024 | 33 | 7.27 |
| 2023 | 45 | 6.45 |
| 2022 | 24 | 6.23 |
| 2021 | 14 | 7.08 |
| 2020 | 8 | 6.76 |
| 2019 | 19 | 6.57 |
| 2018 | 7 | 6.85 |
It may take a day or so for new FortiOS vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Fortinet FortiOS Security Vulnerabilities
FortiOS 7.6.1-7.0 Sensitive Info Leak via HTTP Symlink Bypass
CVE-2025-68686
5.3 - Medium
- February 10, 2026
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via another vulnerability, at filesystem level.
Information Disclosure
FortiOS 7.0-7.6.4 formatstring flaw enables admin code exec
CVE-2025-64157
6.7 - Medium
- February 10, 2026
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration.
Use of Externally-Controlled Format String
FortiOS 7.0-7.6.4: Improper Source Verification in FSSO Channel
CVE-2025-62439
3.8 - Low
- February 10, 2026
An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions may allow an authenticated user with knowledge of FSSO policy configurations to gain unauthorized access to protected network resources via crafted requests.
Improper Verification of Source of a Communication Channel
FortiOS 7.6.0-7.6.4 LDAP Auth Bypass via Agentless VPN/FSSO
CVE-2026-22153
7.5 - High
- February 10, 2026
An Authentication Bypass by Primary Weakness vulnerability [CWE-305] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4 may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, when the remote LDAP server is configured in a specific way.
Authentication Bypass by Primary Weakness
FortiOS 6.4.3-7.6.0 HTTP Request Smuggling (Unauthenticated)
CVE-2025-55018
5.2 - Medium
- February 10, 2026
An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header
HTTP Request Smuggling
Fortinet FortiOS LDAP Credential Decryption (<=7.6.6)
CVE-2026-25815
3.2 - Low
- February 05, 2026
Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.
1394
Fortinet FortiOS Auth Bypass 7.07.6 via Alt Channel
CVE-2026-24858
9.4 - Critical
- January 27, 2026
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Authentication Bypass Using an Alternate Path or Channel
FortiOS/FortiSwitchManager 6.4.0-7.6.3 Heap Overflow Exec via Packets
CVE-2025-25249
7.4 - High
- January 13, 2026
A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets
Heap-based Buffer Overflow
Fortinet FortiAnalyzer PKI Leak (CVE-2024-40593) Fixed 7.4.3
CVE-2024-40593
5.9 - Medium
- December 11, 2025
A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiOS 7.6.0, FortiOS 7.4.4, FortiOS 7.2.7, FortiOS 7.0.14, FortiPortal 6.0 all versions may allow an authenticated admin to retrieve a certificate's private key via the device's admin shell.
Key Management Errors
FortiOS 7.07.4.3: REST-API Tokens Logged (CWE532)
CVE-2024-47570
6.3 - Medium
- December 09, 2025
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration).
Insertion of Sensitive Information into Log File
Fortinet FortiOS 7.0-7.6 SAML Auth Bypass via Signature Verify Flaw
CVE-2025-59718
9.1 - Critical
- December 09, 2025
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Improper Verification of Cryptographic Signature
FortiOS SSLVPN Session Expiration Flaw (pre-7.4.0)
CVE-2025-62631
5.3 - Medium
- December 09, 2025
An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user's password change under particular conditions outside of the attacker's control
Insufficient Session Expiration
Stack-Based Buffer Overflow in FortiOS 6.4-7.6.3 via Crafted Packets
CVE-2025-53843
6.9 - Medium
- November 18, 2025
A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to execute unauthorized code or commands via specially crafted packets
Stack Overflow
FortiOS Buffer Overflow 7.6-7.6.3, 7.4-7.4.8, 7.2+, 7.0+, 6.4+, 6.2+, 6.0+; FortiSASE 25.3.b
CVE-2025-58413
6.9 - Medium
- November 18, 2025
A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiSASE 25.3.b allows attacker to execute unauthorized code or commands via specially crafted packets
Stack Overflow
FortiOS & FortiProxy 7.6.07.6.3 Improper Privilege via CLI
CVE-2025-54821
1.8 - Low
- November 18, 2025
An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions may allow an authenticated administrator to bypass the trusted host policy via crafted CLI command.
Improper Privilege Management
Insertion of Sensitive Info into Log Files CVE-2025-31514 (FortiOS 6.4-7.6.x)
CVE-2025-31514
2.6 - Low
- October 14, 2025
An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS 7.6.0 through 7.6.3, 7.4 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command.
Insertion of Sensitive Information into Log File
Fortinet FortiOS 7.4.0-7.4.1 Improper Authorization -> VDOM Static File Leak
CVE-2025-54822
4.2 - Medium
- October 14, 2025
An improper authorization vulnerability [CWE-285] vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.11, FortiProxy 7.4.0 through 7.4.8, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions allows an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests.
AuthZ
FortiProxy/OS Authenticated Proxy Bypass of Domain Fronting (7.0.1-7.6.3)
CVE-2025-25255
4.3 - Medium
- October 14, 2025
An Improperly Implemented Security Check for Standard vulnerability [CWE-358] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0.1 through 7.0.22 may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.
Improperly Implemented Security Check for Standard
FortiOS SSL VPN 7.6.*: Insufficient Session Expiration (CWE-613)
CVE-2025-25252
4.3 - Medium
- October 14, 2025
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.
Insufficient Session Expiration
FortiOS 7.4.0-7.4.3 SSL request reset (CWE-703)
CVE-2024-26008
5 - Medium
- October 14, 2025
An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS version 7.4.0 through 7.4.3 and before 7.2.7, FortiProxy version 7.4.0 through 7.4.3 and before 7.2.9, FortiPAM before 1.2.0 and FortiSwitchManager version 7.2.0 through 7.2.3 and version 7.0.0 through 7.0.3 fgfm daemon may allow an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests.
Improper Check for Unusual or Exceptional Conditions
Fortinet Forti* - Sensitive Data Disclosure via Crafted Packets (v<=7.6)
CVE-2024-47569
4.2 - Medium
- October 14, 2025
A insertion of sensitive information into sent data vulnerability in Fortinet FortiMail 7.4.0 through 7.4.2, FortiMail 7.2.0 through 7.2.6, FortiMail 7.0 all versions, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiNDR 7.6.0 through 7.6.1, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiNDR 1.5 all versions, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.4, FortiProxy 7.2.0 through 7.2.10, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions, FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiTester 7.4.0 through 7.4.2, FortiTester 7.3 all versions, FortiTester 7.2 all versions, FortiTester 7.1 all versions, FortiTester 7.0 all versions, FortiTester 4.2 all versions, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0.7 through 6.0.12, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to disclose sensitive information via specially crafted packets.
Insertion of Sensitive Information Into Sent Data
FortiOS 6.x-7.4 Buffer Overflow via CLI Commands
CVE-2023-46718
6.3 - Medium
- October 14, 2025
A stack-based buffer overflow in Fortinet FortiOS version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.12 and 6.4.6 through 6.4.15 and 6.2.9 through 6.2.16 and 6.0.13 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted CLI commands.
Stack Overflow
FortiOS 6.07.6 Heap Overflow via Crafted Requests
CVE-2024-50571
6.5 - Medium
- October 14, 2025
A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.2, FortiAnalyzer 7.4.0 through 7.4.5, FortiAnalyzer 7.2.0 through 7.2.9, FortiAnalyzer 7.0.0 through 7.0.13, FortiAnalyzer 6.4 all versions, FortiAnalyzer 6.2 all versions, FortiAnalyzer 6.0 all versions, FortiAnalyzer Cloud 7.4.1 through 7.4.5, FortiAnalyzer Cloud 7.2.1 through 7.2.9, FortiAnalyzer Cloud 7.0.1 through 7.0.13, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.0 through 7.4.5, FortiManager 7.2.0 through 7.2.9, FortiManager 7.0.0 through 7.0.13, FortiManager 6.4 all versions, FortiManager 6.2 all versions, FortiManager 6.0 all versions, FortiManager Cloud 7.6.2, FortiManager Cloud 7.4.1 through 7.4.5, FortiManager Cloud 7.2.1 through 7.2.9, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4 all versions, FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiOS 6.2 all versions, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiProxy 7.2.0 through 7.2.12, FortiProxy 7.0.0 through 7.0.19, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions allows attacker to execute unauthorized code or commands via specifically crafted requests.
Heap-based Buffer Overflow
FortiOS/Proxy XSS (CVE-2025-31366) 7.6.0-7.6.3/7.4.0-7.4.7
CVE-2025-31366
4.5 - Medium
- October 14, 2025
An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests.
XSS
Fortinet FortiSRA/OS/etc Heap BF < 7.6.2 / 1.5.0 Priv Esc via HTTP
CVE-2025-22258
5.7 - Medium
- October 14, 2025
A heap-based buffer overflow in Fortinet FortiSRA 1.5.0, 1.4.0 through 1.4.2, FortiPAM 1.5.0, 1.4.0 through 1.4.2, 1.3.0 through 1.3.1, 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy 7.6.0 through 7.6.1, 7.4.0 through 7.4.7, FortiOS 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.2 through 7.0.16, FortiSwitchManager 7.2.1 through 7.2.5 allows attackers to escalate their privilege via specially crafted http requests.
Heap-based Buffer Overflow
FortiProxy <=7.6.1 & 7.4.8: Unauth MITM via Cert Host Mismatch
CVE-2025-25253
6.8 - Medium
- October 14, 2025
An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions and FortiOS version 7.6.2 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections to the ZTNA proxy
Improper Validation of Certificate with Host Mismatch
Fortinet FortiOS Heap Buffer Overflow CVE-2025-57740 (v<7.6.2/7.4.7/7.2.10)
CVE-2025-57740
6.7 - Medium
- October 14, 2025
An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS version 7.6.2 and below, version 7.4.7 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions; FortiPAM version 1.5.0, version 1.4.2 and below, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiProxy version 7.6.2 and below, version 7.4.3 and below, 7.2 all versions, 7.0 all versions RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.
Heap-based Buffer Overflow
Fortinet FortiOS/FortiProxy/FortiSASE URL Redirection Vulnerability (CWE-601)
CVE-2025-47890
2.5 - Low
- October 14, 2025
An URL Redirection to Untrusted Site vulnerabilities [CWE-601] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform an open redirect attack via crafted HTTP requests.
Open Redirect
FortiOS 6.x-7.6.0 CLI Command Injection (CWE-684) CVE-2025-58325
CVE-2025-58325
7.8 - High
- October 14, 2025
An Incorrect Provision of Specified Functionality vulnerability [CWE-684] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2.5 through 7.2.10, 7.0.0 through 7.0.15, 6.4 all versions may allow a local authenticated attacker to execute system commands via crafted CLI commands.
Incorrect Provision of Specified Functionality
FortiOS 7.4.8-7.6.3 API Null Pointer Deref in httpd via Unchecked Return
CVE-2025-58903
2.5 - Low
- October 14, 2025
An Unchecked Return Value vulnerability [CWE-252] in Fortinet FortiOS version 7.6.0 through 7.6.3 and before 7.4.8 API allows an authenticated user to cause a Null Pointer Dereference, crashing the http daemon via a specialy crafted request.
Unchecked Return Value
FortiOS/FortiProxy Auth Bypass via Alternate Path (7.4.07.4.7)
CVE-2025-22862
6.3 - Medium
- October 02, 2025
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component.
Authentication Bypass Using an Alternate Path or Channel
FortiOS <=7.6.2 Integer Overflow Vulnerability Allows DoS via SSL-VPN
CVE-2025-25248
6.5 - Medium
- August 12, 2025
An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiOS version 7.6.2 and below, version 7.4.7 and below, version 7.2.10 and below, 7.2 all versions, 6.4 all versions, FortiProxy version 7.6.2 and below, version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions and FortiPAM version 1.5.0, version 1.4.2 and below, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions SSL-VPN RDP and VNC bookmarks may allow an authenticated user to affect the device SSL-VPN availability via crafted requests.
Integer Overflow or Wraparound
Privilege Escalation in FortiOS 6.4-7.6.2 via Malicious FortiManager
CVE-2025-53744
- August 12, 2025
An incorrect privilege assignment vulnerability [CWE-266] in FortiOS Security Fabric version 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.0 all versions, 6.4 all versions, may allow a remote authenticated attacker with high privileges to escalate their privileges to super-admin via registering the device to a malicious FortiManager.
Incorrect Privilege Assignment
Fortinet FortiOS RCE via Double Free (CVE-2023-45584)
CVE-2023-45584
6.3 - Medium
- August 12, 2025
A double free vulnerability [CWE-415] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0 through 7.0.12, FortiOS 6.4 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.1, FortiProxy 7.2.0 through 7.2.7, FortiProxy 7.0.0 through 7.0.13 allows a privileged attacker to execute code or commands via crafted HTTP or HTTPs requests.
Double-free
Auth Bypass via FGFM Path in FortiOS 6.4 and FortiProxy 7.4/7.2 (CVE-2024-26009)
CVE-2024-26009
8.1 - High
- August 12, 2025
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
Authentication Bypass Using an Alternate Path or Channel
Fortinet FortiOS 7.2.4-7.6.2 Heap Overflow via CLI PrivEsc
CVE-2025-24477
4 - Medium
- July 15, 2025
A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.4 through 7.2.12 allows an attacker to escalate its privileges via a specially crafted CLI command
Heap-based Buffer Overflow
Fortinet FortiOS/FortiProxy 7.x API Key + PKI: Invalid Cert Bypass
CVE-2024-52965
- July 08, 2025
A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.
Missing Critical Step in Authentication
FortiOS/FortiProxy DNS Filter Bypass (CWE-358) – Version <= 7.6.0
CVE-2024-55599
- July 08, 2025
An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS version 7.6.0, version 7.4.7 and below, 7.0 all versions, 6.4 all versions and FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions may allow a remote unauthenticated user to bypass the DNS filter via Apple devices.
Improperly Implemented Security Check for Standard
Improper Privilege Escalation in Fortinet FortiOS 7.6.x via Node.js WebSocket
CVE-2025-22254
6.5 - Medium
- June 10, 2025
An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.
Improper Privilege Management
FortiOS Session Sync FGSP Exploit: CWE-923 (7.6.0,7.4.0-7.4.5,7.2,7.0,6.4)
CVE-2025-22251
5.3 - Medium
- June 10, 2025
An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.
Improper Restriction of Communication Channel to Intended Endpoints
Sensitive Info Exposure in FortiOS 7.6.0 SSL-VPN Web-Mode (CWE-200)
CVE-2025-25250
4.3 - Medium
- June 10, 2025
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS version 7.6.0, version 7.4.7 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions SSL-VPN web-mode may allow an authenticated user to access full SSL-VPN settings via crafted URL.
Information Disclosure
Improper Cert Validation in FortiOS <=7.6.1 & <=7.4.7 with Revoked Certs
CVE-2025-24471
- June 10, 2025
An Improper Certificate Validation vulnerability [CWE-295] in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate.
Improper Certificate Validation
Fortinet FortiOS/FortiProxy 7.0.14-7.4.3 – Unauth Channel Spoofing (CWE-300)
CVE-2024-50568
- June 10, 2025
A channel accessible by non-endpoint vulnerability [CWE-300] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7 and before 7.0.14 & FortiProxy version 7.4.0 through 7.4.3, 7.2.0 through 7.2.9 and before 7.0.16 allows an unauthenticated attacker with the knowledge of device specific data to spoof the identity of a downstream device of the security fabric via crafted TCP requests.
Man-in-the-Middle / MITM
FortiOS SSL-VPN 7.6.0/7.4.6/7.2.10/7.0/6.4: Improper Session Expiration (CWE-613)
CVE-2024-50562
- June 10, 2025
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
Insufficient Session Expiration
FortiOS 7.2+ & FortiProxy 7.2.0-7.2.2: Silent SSH Key Injection (CWE-459)
CVE-2023-29184
2.3 - Low
- June 10, 2025
An incomplete cleanup vulnerability [CWE-459] in FortiOS 7.2 all versions and before & FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 allows a VDOM privileged attacker to add SSH key files on the system silently via crafted CLI requests.
Insufficient Cleanup
FortiOS csfd integer overflow (7.0.0-7.0.14, 7.2.0-7.2.7)
CVE-2025-47294
5.3 - Medium
- May 28, 2025
A integer overflow or wraparound in Fortinet FortiOS versions 7.2.0 through 7.2.7, versions 7.0.0 through 7.0.14 may allow a remote unauthenticated attacker to crash the csfd daemon via a specially crafted request.
Integer Overflow or Wraparound
FortiOS FGFM Buffer Over-read Remote Crash 7.0–7.4
CVE-2025-47295
3.7 - Low
- May 28, 2025
A buffer over-read in Fortinet FortiOS versions 7.4.0 through 7.4.3, versions 7.2.0 through 7.2.7, and versions 7.0.0 through 7.0.14 may allow a remote unauthenticated attacker to crash the FGFM daemon via a specially crafted request, under rare conditions that are outside of the attacker's control.
Out-of-bounds Read
Fortinet FortiProxy/FortiSwitchManager/FortiOS 7.x Auth Bypass: Admin Priv Access
CVE-2025-22252
9 - Critical
- May 28, 2025
A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.
Missing Authentication for Critical Function
FortiOS 7.2.0-7.2.1 LDAP IP Hijack Exposes Recoverable Passwords
CVE-2024-32122
2.1 - Low
- April 08, 2025
A storing passwords in a recoverable format in Fortinet FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to information disclosure via modification of LDAP server IP to point to a malicious server.
Storing Passwords in a Recoverable Format
FortiOS SSL VPN MemCorrupt (v7.4.0 & 7.2.0-7.2.5) CVE-2023-37930
CVE-2023-37930
6.7 - Medium
- April 08, 2025
Multiple issues including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] vulnerabilities vulnerability in Fortinet allows a VPN user to corrupt memory potentially leading to code or commands execution via specifically crafted requests.
Use of Uninitialized Resource
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Fortinet FortiOS or by Fortinet? Click the Watch button to subscribe.
