FortiOS
CVE-2025-57740
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS version 7.6.2 and below, version 7.4.7 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions; FortiPAM version 1.5.0, version 1.4.2 and below, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiProxy version 7.6.2 and below, version 7.4.3 and below, 7.2 all versions, 7.0 all versions RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.
AnalysisAI
Authenticated remote code execution in Fortinet FortiOS, FortiProxy, and FortiPAM enables low-privileged users to trigger a heap-based buffer overflow through crafted RDP bookmark connection requests. The flaw affects multiple major release trains across all three product families, including FortiOS 7.6.2 and earlier, 7.4.7 and earlier, 7.2.10 and earlier, and all 6.4/7.0 versions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-122 heap-based buffer overflow in the RDP bookmark connection handler shared across FortiOS (the base operating system for FortiGate appliances), FortiProxy (secure web gateway), and FortiPAM (privileged access management). RDP bookmarks are a feature that lets authenticated portal users launch Remote Desktop sessions to internal hosts via the SSL VPN/web portal; the parser for crafted bookmark connection requests fails to bound a write into a heap allocation, allowing adjacent heap metadata or object pointers to be corrupted. Because the same vulnerable code is reused across CPE entries cpe:2.3:o:fortinet:fortios, cpe:2.3:o:fortinet:fortipam, and cpe:2.3:a:fortinet:fortiproxy, a single root cause cascades into all three product lines.
RemediationAI
Patch available per vendor advisory FG-IR-25-756 (https://fortiguard.fortinet.com/psirt/FG-IR-25-756); upgrade FortiOS past 7.6.2 / 7.4.7 / 7.2.10 and migrate off 7.0 and 6.4 trains, upgrade FortiProxy past 7.6.2 / 7.4.3 and migrate off 7.2 and 7.0, and upgrade FortiPAM past 1.5.0 / 1.4.2 and migrate off 1.3 and earlier - refer to the FortiGuard advisory for the exact fixed build numbers per branch. Where immediate patching is not possible, the most direct compensating control is to disable the RDP bookmark feature in the SSL VPN/web portal configuration (config vpn ssl web portal, removing rdp from the bookmarks list), which eliminates the vulnerable code path at the cost of removing browser-based RDP access for legitimate users. Additionally, restrict portal access to trusted source IP ranges via local-in policy and tighten authentication (enforce MFA on all portal accounts) to raise the bar for the PR:L precondition. Siemens-managed OT deployments should also consult SSA-864900 at https://cert-portal.siemens.com/productcert/html/ssa-864900.html for environment-specific guidance.
More in Fortiproxy
View allFortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do
Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
A out-of-bounds write vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.
A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, versi
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today