CVE-2025-53847

| EUVD-2025-209450 MEDIUM
2026-04-14 fortinet GHSA-v55w-rvx7-pq26
Fortinet Authentication Bypass Fortios
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 14, 2026 - 17:04 vuln.today
CVSS Changed
Apr 14, 2026 - 16:22 NVD
6.2 (MEDIUM) 6.5 (MEDIUM)

DescriptionNVD

A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through 6.2.17 allows attacker to execute unauthorized code or commands via specially crafted packets.

AnalysisAI

Fortinet FortiOS allows unauthenticated remote attackers to execute arbitrary code or commands on affected devices through specially crafted packets due to missing authentication controls on a critical function. This affects FortiOS versions 6.2.9 through 6.2.17, all 6.4.x versions, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, 7.4.0 through 7.4.8, and 7.6.0 through 7.6.3. With a CVSS score of 6.5 and an adjacent network attack vector, this represents a significant risk to FortiGate appliances accessible from local network segments. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

FortiOS is the operating system for Fortinet FortiGate firewalls and security appliances. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), indicating that a critical operational function lacks proper authentication validation before execution. The CVSS vector specifies an adjacent network attack vector (AV:A), meaning the attacker must be on the same local network segment as the target device, with no privilege requirements (PR:N) and no user interaction (UI:N). The vulnerability allows code or command execution with integrity impact (I:H), suggesting the attacker can modify system behavior or configuration. The affected CPE string (cpe:2.3:a:fortinet:fortios) encompasses all FortiOS installations across the specified version ranges, making this a broad-impact issue for Fortinet customers.

RemediationAI

Fortinet has released patched versions to address this vulnerability. Upgrade to FortiOS 6.2.18 or later for the 6.2.x branch, FortiOS 6.4.17 or later for the 6.4.x branch, FortiOS 7.0.18 or later for the 7.0.x branch, FortiOS 7.2.12 or later for the 7.2.x branch, FortiOS 7.4.9 or later for the 7.4.x branch, or FortiOS 7.6.4 or later for the 7.6.x branch. Organizations unable to patch immediately should restrict network access to FortiGate appliances by limiting connections from untrusted local network segments, implementing network segmentation to isolate management access, and monitoring authentication logs for suspicious activity. Consult Fortinet security advisory FG-IR-26-125 at https://fortiguard.fortinet.com/psirt/FG-IR-26-125 for detailed patch availability and deployment guidance.

Share

CVE-2025-53847 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy