CERT-EU - Critical Vulnerabilities in Fortinet Products
Release Date:
History:
On 13 May 2025, Fortinet released a security advisory addressing several vulnerabilities in their products, two of which are rated as critical.
It is recommended updating as soon as possible.
The vulnerability [1], with a CVSS score of 9.6, is a stack-based overflow vulnerability in FortiFone, FortiVoice, FortiNDR, and FortiMail that could allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. An unauthenticated attacker could send specific requests to the API endpoint to write arbitrary data outside the bound of the intended buffer and execute arbitrary code or commands.
The vulnerability [2], with a CVSS score of 9.0, is a missing authentication for critical function vulnerability in FortiOS, FortiProxy, and FortiSwitchManager TACACS+ configured to use a remote TACACS+ server for authentication, that has itself been configured to use ASCII authentication. This may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.
The vulnerability affects the following product versions:
The vulnerability affects the following product versions:
This vulnerability is limited to configurations where ASCII authentication is used. PAP, MSCHAP, and CHAP configurations are not impacted.
It is recommended to upgrade to a fixed version as soon as possible.
To mitigate the vulnerability , it is possible to disable the web (HTTP/HTTPS) service on the administrative interface [1].
To mitigate the vulnerability , it is possible to use an alternate authentication method [2].
There are several detection opportunities related to the exploitation of .
Output of CLI command 'diagnose debug application httpd display trace-log': [x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection [x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11 Verify if fcgi debugging is enabled on your system, use the following CLI command:
> diag debug application fcgi fcgi debug level is 0x80041 general to-file ENABLED This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise
- [Added File]
/lib/libfmlogin.so - [Added File]
/tmp/.sshdpm - [Added File]
/bin/fmtest - [Modified File]
/etc/httpd.conf
