Skip to main content

FortiOS CVE-2025-57740

HIGH
Heap-based Buffer Overflow (CWE-122)
2025-10-14 psirt@fortinet.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 10:31 vuln.today
CVE Published
Oct 14, 2025 - 16:15 nvd
HIGH 7.5

DescriptionCVE.org

An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS version 7.6.2 and below, version 7.4.7 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions; FortiPAM version 1.5.0, version 1.4.2 and below, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiProxy version 7.6.2 and below, version 7.4.3 and below, 7.2 all versions, 7.0 all versions RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.

AnalysisAI

Authenticated remote code execution in Fortinet FortiOS, FortiProxy, and FortiPAM enables low-privileged users to trigger a heap-based buffer overflow through crafted RDP bookmark connection requests. The flaw affects multiple major release trains across all three product families, including FortiOS 7.6.2 and earlier, 7.4.7 and earlier, 7.2.10 and earlier, and all 6.4/7.0 versions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-122 heap-based buffer overflow in the RDP bookmark connection handler shared across FortiOS (the base operating system for FortiGate appliances), FortiProxy (secure web gateway), and FortiPAM (privileged access management). RDP bookmarks are a feature that lets authenticated portal users launch Remote Desktop sessions to internal hosts via the SSL VPN/web portal; the parser for crafted bookmark connection requests fails to bound a write into a heap allocation, allowing adjacent heap metadata or object pointers to be corrupted. Because the same vulnerable code is reused across CPE entries cpe:2.3:o:fortinet:fortios, cpe:2.3:o:fortinet:fortipam, and cpe:2.3:a:fortinet:fortiproxy, a single root cause cascades into all three product lines.

RemediationAI

Patch available per vendor advisory FG-IR-25-756 (https://fortiguard.fortinet.com/psirt/FG-IR-25-756); upgrade FortiOS past 7.6.2 / 7.4.7 / 7.2.10 and migrate off 7.0 and 6.4 trains, upgrade FortiProxy past 7.6.2 / 7.4.3 and migrate off 7.2 and 7.0, and upgrade FortiPAM past 1.5.0 / 1.4.2 and migrate off 1.3 and earlier - refer to the FortiGuard advisory for the exact fixed build numbers per branch. Where immediate patching is not possible, the most direct compensating control is to disable the RDP bookmark feature in the SSL VPN/web portal configuration (config vpn ssl web portal, removing rdp from the bookmarks list), which eliminates the vulnerable code path at the cost of removing browser-based RDP access for legitimate users. Additionally, restrict portal access to trusted source IP ranges via local-in policy and tighten authentication (enforce MFA on all portal accounts) to raise the bar for the PR:L precondition. Siemens-managed OT deployments should also consult SSA-864900 at https://cert-portal.siemens.com/productcert/html/ssa-864900.html for environment-specific guidance.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-24472 HIGH
8.1 Feb 11

FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do

CVE-2024-48884 CRITICAL
9.1 Jan 14

Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver

CVE-2022-40684 CRITICAL POC
9.8 Oct 18

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an

CVE-2024-21762 CRITICAL POC
9.8 Feb 09

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0

CVE-2023-25610 CRITICAL
9.8 Mar 24

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0

CVE-2023-42789 CRITICAL
9.8 Mar 12

A out-of-bounds write vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2024-23113 CRITICAL
9.8 Feb 15

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.

CVE-2023-33308 CRITICAL
9.8 Jul 26

A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3

CVE-2023-27997 CRITICAL
9.8 Jun 13

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, versi

CVE-2022-35843 CRITICAL
9.8 Dec 06

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0

Share

CVE-2025-57740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy