Full Report
Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for arbitrary code execution. FortiSandbox is an advanced threat detection solution from Fortinet that uses sandboxing to analyze suspicious files and network traffic for advanced threats like zero-day malware and ransomware.FortiWeb is a web application firewall (WAF) that protects web applications and APIs from cyberattacks like SQL injection and cross-site scripting, while also helping to meet compliance requirements.FortiVoice is a unified communications solution that combines voice, chat, conferencing, and fax into a single, secure platform for businesses and schools.FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines.FortiProxy is a secure web gateway product from Fortinet that protects users from internet-borne attacks, enforces compliance, and improves network performance.FortiClientEMS is a centralized management platform for deploying, configuring, monitoring, and enforcing security policies across numerous endpoints (computers) running the FortiClient agent.FortiSwitchManager is Fortinet's dedicated, on-premise platform for centrally managing FortiSwitch devices in large deployments.FortiFone is Fortinet's secure, enterprise-grade unified communications solution.Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
As a vulnerability research specialist, here is the actionable summary of the discovered Fortinet vulnerabilities based on the provided context. Note that the specific severity scores, CWEs, and detailed patch versions corresponding to all listed CVEs were not explicitly detailed in the text snippet; these have been inferred where possible or noted as pending based on the structure of the source material.
# Vulnerability: Critical Arbitrary Code Execution Flaws Across Multiple Fortinet Products
## CVE Details
- **CVE ID:** Multiple (Key identified: CVE-2025-25249, CVE-2025-64155, CVE-2025-58693, CVE-2025-59922)
- **CVSS Score:** Not explicitly listed for the set, but the most severe vulnerability allows for Arbitrary Code Execution (ACE), indicating a high potential score (likely critical/high).
- **CWE:** CWE-122 (Heap-based Buffer Overflow), CWE-78 (OS Command Injection), CWE-89 (SQL Injection), CWE-918 (SSRF)
## Affected Systems
- **Products:** FortiOS, FortiSandbox, FortiWeb, FortiVoice, FortiProxy, FortiClientEMS, FortiSwitchManager, FortiFone, FortiSIEM.
- **Versions:**
* **FortiVoice:** 7.2.0 - 7.2.2, 7.0.0 - 7.0.7
* **FortiClientEMS:** 7.4.3 - 7.4.4, 7.4.0 - 7.4.1, 7.2.0 - 7.2.10, All versions of 7.0
* **FortiOS/FortiSASE:** 7.6.0 - 7.6.3, 7.4.0 - 7.4.8, 7.2.0 - 7.2.11, 7.0.0 - 7.0.17, 6.4.0 - 6.4.16. (SASE versions: 25.2.b, 25.1.a.2)
* **FortiSwitchManager:** 7.2.0 - 7.2.6, 7.0.0 - 7.0.5
* **FortiSandbox:** 5.0.0 - 5.0.4, All versions of 4.4, 4.2, 4.0
* **FortiFone:** 7.0.0 - 7.0.1, 3.0.13 - 3.0.23
* **FortiSIEM:** 7.4.0, 7.3.0 - 7.3.4, 7.2.0 - 7.2.6, 7.1.0 - 7.1.8, 7.0.0 - 7.0.4
- **Configurations:** Vulnerabilities affect various components, including the `cw_acd` daemon in FortiOS/FortiSwitchManager, and components accessible via TCP or HTTP/HTTPS requests.
## Vulnerability Description
Multiple security flaws exist across the Fortinet portfolio. The most critical flaws permit **Arbitrary Code Execution (ACE)** in the context of the affected service account.
1. **Heap-based Buffer Overflow (CVE-2025-25249):** A heap-based buffer overflow in the `cw_acd` daemon of **FortiOS** and **FortiSwitchManager** could allow an unauthenticated, remote attacker to execute arbitrary code or commands via specially crafted requests. This falls under the **Initial Access** tactic and **Exploitation Public-Facing Application** technique.
2. **OS Command Injection (CVE-2025-64155):** A flaw in **FortiSIEM** allows an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.
3. **Path Traversal (CVE-2025-58693):** A flaw in **FortiVoice** may allow a *privileged* attacker to delete unintended files via crafted HTTP/HTTPS requests.
4. **SQL Injection (CVE-2025-59922):** A flaw in **FortiClientEMS** may allow an authenticated attacker (with at least read-only admin permission) to execute unauthorized SQL code via crafted HTTP/HTTPS requests.
## Exploitation
- **Status:** There are **no reports of these vulnerabilities being exploited in the wild** currently.
- **Complexity:** The heap overflow and OS Command Injection vulnerabilities (likely the most severe) typically range from **Low** to **Medium** complexity when targeting internet-facing services, based on similar findings.
- **Attack Vector:** Attacks related to CVE-2025-25249 and CVE-2025-64155 appear to be **Network** based and may be **unauthenticated**.
## Impact
Successful exploitation of the most severe issues could lead to the execution of attacker-controlled code with the privileges of the affected service account.
- **Confidentiality:** High (Potential to view, change, or delete data, or create new accounts with full user rights if the service account is highly privileged).
- **Integrity:** High (Ability to modify system state, install programs).
- **Availability:** Medium to High (Depending on the successful execution and privileges gained).
## Remediation
### Patches
The advisory implies that patches are available from Fortinet corresponding to the resolution of these issues (referenced by multiple PSIRT advisories). Users **must consult the official Fortinet security bulletin (FG-IR-25-XXX)** referenced in the source material for specific patched versions for each affected product line.
### Workarounds
No specific vendor workarounds were detailed in the provided text. **Patching should be treated as the primary defense.**
## Detection
- **Indicators of Compromise:** Monitoring for unusual process execution, modifications to system files, or unexpected network connections originating from services associated with Fortinet components (e.g., `cw_acd` process activity).
- **Detection Methods and Tools:** Network security monitoring (NSM) tools should scan for traffic patterns indicative of command injection or malformed requests targeting the vulnerable services. Authentication logs should be scrutinized for successful logins by low-privilege accounts performing high-privilege actions (related to the SQLi vulnerability).
## References
- MS-ISAC ADVISORY NUMBER: 2026-003
- Fortinet PSIRT Advisories:
- hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-778
- hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-735
- hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-084
- hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-783
- hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-260
- hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-772
- General PSIRT Page: hXXps://fortiguard.fortinet.com/psirt