CVE's
Summary
Briefing: CVE's Purpose: News about security alerts for our product stack
Key Insights
- Multiple products have critical unauthenticated vulnerabilities requiring immediate action. Fortinet disclosed critical flaws in FortiSIEM (CVE-2025-64155, CVSS 9.4) and FortiFone (CVE-2025-47855, CVSS 9.3). Both can be exploited by unauthenticated remote attackers to execute commands or access sensitive configurations, making them the highest priority for patching.
- Unauthenticated remote command injection
-
A high-severity unauthenticated flaw impacts core network infrastructure. A heap-based buffer overflow (CVE-2025-25249, CVSS 7.4) affects FortiOS and FortiSwitchManager, allowing a remote, unauthenticated attacker to execute arbitrary code. Due to the widespread deployment of these devices, this vulnerability represents a significant threat and should be prioritized alongside the critical alerts.
-
A separate set of authenticated vulnerabilities presents a secondary, but still significant, risk. Flaws with medium-to-low severity ratings were also disclosed for FortiVoice, FortiClientEMS, and FortiSandbox. These vulnerabilities require an attacker to have some level of authentication, which lowers their immediate risk compared to unauthenticated exploits but makes them dangerous in a multi-stage attack.
- Arbitrary file deletion in administrative interface
- Authenticated SQL injection in API endpoint
- SSRF in GUI console
Emerging Patterns
- A clear pattern among the most severe alerts is the ability for unauthenticated remote exploitation. Vulnerabilities in FortiSIEM, FortiFone, and FortiOS all allow attackers to execute code or steal configurations without prior access. This highlights a recurring risk in externally-facing administrative interfaces across the product line and reinforces the need for strict access controls and prompt patching.
- Unauthenticated remote command injection
- Unauthenticated access to local configuration
- Heap-based buffer overflow in cw_acd daemon
Read & Act
What to read - Unauthenticated remote command injection — This advisory details a critical (CVSS 9.4) vulnerability in FortiSIEM. It is essential reading to understand the attack vector and apply the specific workaround if immediate patching is not possible. - Unauthenticated access to local configuration — This outlines the other critical (CVSS 9.3) vulnerability in FortiFone. Understanding how unauthenticated attackers can access configuration is key to assessing the full risk to your environment. - Heap-based buffer overflow in cw_acd daemon — This high-severity alert affects core FortiOS and FortiSwitchManager products. Reviewing this is crucial for all network teams to identify affected versions and apply necessary upgrades or workarounds.
What to do 1. Triage and patch based on authentication requirements. Immediately address the unauthenticated vulnerabilities in FortiSIEM (CVE-2025-64155), FortiFone (CVE-2025-47855), and FortiOS/FortiSwitchManager (CVE-2025-25249). These pose the most immediate and severe risk to your infrastructure. 2. Apply workarounds where patching is delayed. For the FortiSIEM and FortiOS vulnerabilities, Fortinet provides specific workarounds, such as limiting access to certain ports. Implement these immediately on critical systems while you schedule and test the required firmware upgrades. 3. Audit and schedule patching for authenticated vulnerabilities. After addressing the high-priority threats, plan for the patching of flaws in FortiVoice, FortiClientEMS, and FortiSandbox. While less urgent, these could be exploited by an attacker who has already gained a foothold in the network.