Fortinet Releases Security Updates for FortiOS and FortiSwitch Manager

Advisory addresses a vulnerability which if exploited could allow a remote unauthenticated attacker to perform arbitrary code or command execution

Threat ID:: CC-4736
Threat Severity:: Medium
Published:: 14 January 2026 1:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Advisory addresses a vulnerability which if exploited could allow a remote unauthenticated attacker to perform arbitrary code or command execution

Affected platforms

The following platforms are known to be affected:

Fortinet FortiOS

7.6.0 to 7.6.3
7.4.0 to 7.4.8
7.2.0 to 7.2.11
7.0.0 to 7.0.17
6.4.0 to 6.4.16

Fortinet FortiSwitch Manager

7.2.0 to 7.2.6
7.0.0 to 7.0.5

Threat details

Introduction

Fortinet has released security updates to address a high severity vulnerability in FortiOS and FortiSwitch Manager. Successful exploitation by a remote unauthenticated attacker could allow for arbitrary code or command execution.

CVE-2025-25249 - Heap-Based Buffer Overflow vulnerability - CVSSv3 score: 7.4

Remediation advice

Affected organisations are encouraged to review the Fortinet PSIRT FG-IR-25-084 and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://fortiguard.fortinet.com/psirt/FG-IR-25-084

CVE Vulnerabilities

Status Published

CVE-2025-25249

A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSASE 25.2.b, FortiSASE 25.1.a.2, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets

Last edited: 14 January 2026 1:34 pm