CyberSecurityBoard
Sponsor Register Login

FortiOS Buffer Overflow Vulnerability Allows Attackers to Execute Arbitrary Code

Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With a CVSSv3 score of 4.0, the vulnerability is rated as medium severity, yet its potential impact, escalation of privilege, poses a serious risk to affected systems. This heap-based buffer overflow vulnerability, classified under CWE-122, affects the cw_stad daemon and could enable an authenticated attacker to execute arbitrary code or commands through specially crafted requests. The vulnerability impacts specific versions of FortiOS, with Fortinet providing clear upgrade paths to mitigate the risk. This vulnerability was internally discovered and reported by Gwendal Guégniaud of the Fortinet Product Security team. Their proactive identification of the flaw affecting a component categorized as “OTHERS,” highlights Fortinet’s commitment to maintaining the security of its products. Fortinet disclosed a significant security flaw in its FortiOS operating system, identified as CVE-2025-24477. While the CVSSv3 score indicates a medium severity level, the ability for an authenticated attacker to escalate privileges through arbitrary code execution is a critical concern. Fortinet advises users to follow the recommended upgrade path using their official tool for a seamless transition to secure versions. Fortinet’s swift response in providing patches and detailed guidance reflects the ongoing challenges in cybersecurity, where even medium-severity vulnerabilities can have significant consequences if exploited. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. This could potentially lead to unauthorized access or control over affected systems, compromising network security. This vulnerability, tracked under IR number FG-IR-25-026, underscores the importance of timely updates to safeguard network infrastructure. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications. Organizations using these models in the specified configuration should prioritize applying the necessary updates to prevent potential exploitation. The initial publication of this issue on July 8, 2025, marks the beginning of Fortinet’s efforts to inform and protect its user base from this threat.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 15:35:11 +0000


Cyber News related to FortiOS Buffer Overflow Vulnerability Allows Attackers to Execute Arbitrary Code

FortiOS SSL VPN Zero-day Vulnerability - A newly reported zero-day vulnerability in FortiOS SSL VPN has been identified as a possible risk for users. The vulnerability, which is tracked as CVE-2018-13379, was discovered by researchers from Positive Technologies and is rated as “High” ...
3 years ago Securityaffairs.com
New Chinese 0-Day Discovered By HackRead: Backdoor in FortiOS - A new 0-day has been discovered by HackRead that affects Fortinet FortiOS. The backdoor, which has not yet been patched, enables malicious actors to gain access to the systems that are running Fortinet FortiOS. This is a serious security breach and ...
3 years ago Hackread.com
CVE-2023-36641 - A numeric truncation error in Fortinet FortiProxy version 7.2.0 through 7.2.4, FortiProxy version 7.0.0 through 7.0.10, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1, all versions, FortiProxy 1.0 all versions, FortiOS ...
1 year ago
CVE-2025-25249 - A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSASE 25.2.b, FortiSASE 25.1.a.2, ...
56 years ago
CVE-2023-22641 - A url redirection to untrusted site ('open redirect') in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS versions 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy ...
2 years ago
CVE-2023-22640 - A out-of-bounds write in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.13, FortiOS all versions 6.0, FortiProxy version 7.2.0 through ...
2 years ago
CVE-2025-68686 - An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may ...
56 years ago
CVE-2023-22639 - A out-of-bounds write in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy ...
2 years ago
CVE-2023-33305 - A loop with unreachable exit condition ('infinite loop') in Fortinet FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.10, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiProxy version ...
2 years ago
CVE-2025-55018 - An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an ...
56 years ago
Fortinet Warns of New FortiOS Zero-Day - Fortinet on Thursday announced patches for a critical remote code execution vulnerability in FortiOS that may have been exploited in the wild. The security hole, tracked as CVE-2024-21762, impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. ...
2 years ago Securityweek.com CVE-2024-21762 CVE-2022-42475 CVE-2023-27997 CVE-2024-23113 Volt Typhoon
FortiOS Buffer Overflow Vulnerability Allows Attackers to Execute Arbitrary Code - Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With a CVSSv3 score of 4.0, the vulnerability is rated as medium severity, yet its potential impact, escalation of privilege, ...
7 months ago Cybersecuritynews.com CVE-2025-24477
CVE-2023-46217 - Multiple vulnerabilities exist in Ivanti Avalanche v6.4.1 WLAvalancheService.exe.CVE-2023-41727 - MuProperty type 100 stack-based buffer overflow (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)A message sent to WLAvalancheService.exe on TCP port 1777 ...
2 years ago Tenable.com
CVE-2023-46216 - Multiple vulnerabilities exist in Ivanti Avalanche v6.4.1 WLAvalancheService.exe.CVE-2023-41727 - MuProperty type 100 stack-based buffer overflow (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)A message sent to WLAvalancheService.exe on TCP port 1777 ...
2 years ago Tenable.com
CVE-2023-41727 - Multiple vulnerabilities exist in Ivanti Avalanche v6.4.1 WLAvalancheService.exe.CVE-2023-41727 - MuProperty type 100 stack-based buffer overflow (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)A message sent to WLAvalancheService.exe on TCP port 1777 ...
2 years ago Tenable.com
New Fortinet RCE flaw in SSL VPN likely exploited in attacks - Fortinet is warning that a new critical remote code execution vulnerability in FortiOS SSL VPN is potentially being exploited in attacks. The flaw received a 9.6 severity rating and is an out-of-bounds write vulnerability in FortiOS that allows ...
2 years ago Bleepingcomputer.com CVE-2024-23113 CVE-2023-44487 CVE-2023-47537 CVE-2024-21762 Volt Typhoon
CISA warns Fortinet zero-day vulnerability under attack - CISA urged users to address two critical Fortinet vulnerabilities in products that are commonly targeted by the Chinese nation-state threat group Volt Typhoon, and one flaw is already being exploited in the wild. Fortinet published two separate ...
2 years ago Techtarget.com CVE-2024-21762 CVE-2024-22024 CVE-2023-27997 CVE-2024-23113 Volt Typhoon
CVE-2025-64157 - A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or ...
56 years ago
CVE-2022-43953 - A use of externally-controlled format string in Fortinet FortiOS version 7.2.0 through 7.2.4, FortiOS all versions 7.0, FortiOS all versions 6.4, FortiOS all versions 6.2, FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7 ...
2 years ago
CVE-2022-22299 - A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiADC version 6.1.0 through 6.1.5, FortiADC version 6.2.0 through 6.2.1, FortiProxy version 1.0.0 through 1.0.7, FortiProxy version ...
3 years ago
CVE-2021-44171 - A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 ...
3 years ago
CVE-2025-62631 - An insufficient session expiration vulnerability [CWE-613] in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session ...
2 months ago
CVE-2025-59718 - A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 ...
2 months ago
CVE-2025-62439 - An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions may allow an authenticated ...
56 years ago

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)