PSIRT Advisories

1. Heap-based buffer overflow in cw_stad daemon

   CVSSv3 Score: 4.0

   A heap-based buffer overflow vulnerability [CWE-122] in FortiOS cw_stad daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.

   Revised on 2025-11-03 00:00:00

2. Apache Tika CVE-2025-54988

   CVSSv3 Score: 8.0

   Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

   Revised on 2025-10-14 00:00:00

3. Authenticated Heap Overflow in SSL-VPN bookmarks

   CVSSv3 Score: 6.7

   An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS, FortiPAM and FortiProxy RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.

   Revised on 2025-10-14 00:00:00

4. Code injection in login window

   CVSSv3 Score: 5.5

   An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientMac may allow an unauthenticated attacker to execute arbitrary code on the victim's host via tricking the user into visiting a malicious website.

   Revised on 2025-10-14 00:00:00

5. DLL hijacking in online installer

   CVSSv3 Score: 6.0

   An Uncontrolled Search Path Element vulnerability [CWE-427] in FortiClient Windows may allow a local low privileged user to perform a DLL hijacking attack via placing a malicious DLL to the FortiClient Online Installer installation folder.

   Revised on 2025-10-14 00:00:00

6. Debug endpoint can display password in clear text

   CVSSv3 Score: 6.2

   An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiADC may allow an authenticated attacker to obtain sensitive data via crafted HTTP or HTTPS requests.

   Revised on 2025-10-14 00:00:00

7. Domain fronting protection bypass in explicit web proxy

   CVSSv3 Score: 3.9

   An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS and FortiProxy explicit web proxy may allow an authenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.

   Revised on 2025-10-14 00:00:00

8. Enrollment code on install saved in log

   CVSSv3 Score: 4.2

   An Insertion of Sensitive Information into Log File [CWE-532] vulnerability in FortiDLP Windows Agent installer may allow an authenticated attacker to pollute the agent pool via re-using the enrollment code.

   Revised on 2025-10-14 00:00:00

9. FGFM protocol allows unauthenticated reset of the connection

   CVSSv3 Score: 5.0

   An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager fgfm daemon may allow an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests.

   Revised on 2025-10-14 00:00:00

10. Heap Overflow in fgfmsd

    CVSSv3 Score: 6.5

    A heap-based buffer overflow vulnerability [CWE-122] in FortiOS, FortiManager, FortiAnalyzer, FortiManager Cloud, FortiAnalyzer Cloud, FortiProxy fgfmd daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.

    Revised on 2025-10-14 00:00:00

11. Heap buffer overflow in websocket

    CVSSv3 Score: 5.7

    An heap-based buffer overflow vulnerability [CWE-122] in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiSwitchManager nodejs daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.

    Revised on 2025-10-14 00:00:00

12. Improper autorization over static files

    CVSSv3 Score: 4.2

    An improper authorization vulnerability [CWE-285] in FortiOS & FortiProxy may allow an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests.

    Revised on 2025-10-14 00:00:00

13. Improper session handling during authentication

    CVSSv3 Score: 7.0

    An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in the FortiIsolator authentication mechanism may allow a remote unauthenticated attacker to deauthenticate logged in admins via a crafted cookie and a remote authenticated read-only attacker to gain write privilege via a crafted cookie.

    Revised on 2025-10-14 00:00:00

14. Insertion of Sensitive 2FA Information in logs and debug command

    CVSSv3 Score: 2.6

    An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command.

    Revised on 2025-10-14 00:00:00

15. Insertion of Sensitive Information Into Sent Data Vulnerability in csfd daemon

    CVSSv3 Score: 4.2

    An Insertion of Sensitive Information Into Sent Data Vulnerability in Fortimanager, FortiMail, FortiNDR, FortOS, FortiPAM, FortiProxy, FortiRecorder, FortiTester, FortiVoice, FortiWeb csfd daemon may allow a remote authenticated attacker to read small and non-arbitrary parts of memory.

    Revised on 2025-10-14 00:00:00

16. Insufficient Session Expiration in SSLVPN using SAML authentication

    CVSSv3 Score: 4.3

    An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.

    Revised on 2025-10-14 00:00:00

17. Local Privilege Escalation in LaunchDaemon

    CVSSv3 Score: 7.0

    An Incorrect Permission Assignment for Critical Resource vulnerability [CWE-732] in FortiClientMac may allow a local attacker to run arbitrary code or commands via LaunchDaemon hijacking.

    Revised on 2025-10-14 00:00:00

18. Missing authentication check in OFTP service

    CVSSv3 Score: 6.2

    An improper authentication vulnerability [CWE-287] in FortiAnalyzer may allow an unauthenticated attacker to obtain information pertaining to the device's health and status, or cause a denial of service via crafted OFTP requests.

    Revised on 2025-10-14 00:00:00

19. Missing signature verification for FortiClient.app

    CVSSv3 Score: 6.8

    An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiClient MacOS installer may allow a local user to escalate their privileges via FortiClient related executables.

    Revised on 2025-10-14 00:00:00

20. Multiple Unchecked Return Value leading to Null Pointer Dereference

    CVSSv3 Score: 2.5

    An Unchecked Return Value vulnerability [CWE-252] in FortiOS API may allow an authenticated user to cause a Null Pointer Dereference, crashing the http daemon via a specialy crafted request.

    Revised on 2025-10-14 00:00:00

21. Open Redirect and XSS in Web Filter warning page

    CVSSv3 Score: 4.5

    An Improper Neutralization of Input During Web Page Generation and URL Redirection to Untrusted Site vulnerabilities [CWE-79, CWE-601] in FortiOS, FortiProxy and FortiSASE may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) or an open redirect attack via crafted HTTP requests.

    Revised on 2025-10-14 00:00:00

22. Path Traversal in agent leads to Privilege Escalation

    CVSSv3 Score: 7.2

    An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiDLP Agent's Outlookproxy plugin for Windows and MacOS may allow an authenticated attacker to escalate their privileges to LocalService or Root privilege via sending a crafted request to a local listening port.

    Revised on 2025-10-14 00:00:00

23. Private Personal Information Collection by Debug Bundle

    CVSSv3 Score: 5.1

    An Exposure of Private Personal Information ('Privacy Violation') vulnerability [CWE-359] in FortiDLP may allow an authenticated windows administrator to collect current user's email information

    Revised on 2025-10-14 00:00:00

24. Privilege escalation in shell

    CVSSv3 Score: 6.6

    An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR may allow an attacker who has already obtained a non-login low privileged shell access to perform a local privilege escalation via crafted commands.

    Revised on 2025-10-14 00:00:00

25. Race condion in FortiCloud SSO SAML authentication

    CVSSv3 Score: 5.3

    A concurrent execution using shared resource with improper synchronization ('Race Condition') vulnerability [CWE-362] in FortiAnalyzer may allow an attacker to attempt to win a race condition to bypass the FortiCloud SSO authorization via crafted FortiCloud SSO requests.

    Revised on 2025-10-14 00:00:00