A high heap-based buffer overflow vulnerability in the cw_acd daemon component of Fortinet’s FortiOS and FortiSwitchManager has been disclosed, enabling remote unauthenticated attackers to execute arbitrary code on affected systems.
The vulnerability, tracked as CVE-2025-25249, carries a high CVSS v3.1 score of 7.4 and poses significant risk to enterprise network infrastructure.
Vulnerability Details
The flaw resides in a heap-based buffer overflow mechanism (CWE-122) within the cw_acd daemon, a critical component handling fabric connectivity and access control in Fortinet security appliances.
An attacker with network access can craft specially designed requests to trigger the buffer overflow, leading to unauthorized code execution without requiring authentication credentials.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-25249 |
| Fortinet ID | FG-IR-25-084 |
| Vulnerability Type | Heap-based Buffer Overflow (CWE-122) |
| CVSS v3.1 Score | 7.4 (High) |
The vulnerability’s network-accessible attack vector and low complexity make it particularly concerning for internet-facing deployments.
Fortinet’s Product Security Team internally discovered the vulnerability, assigning it FG-IR-25-084. The issue was initially published on January 13, 2026, marking the beginning of active mitigation efforts across the Fortinet ecosystem.
Multiple FortiOS versions require immediate patching. FortiOS 7.6 users should upgrade to version 7.6.4 or later, while 7.4 users need to update to 7.4.9.
FortiOS 7.2 administrators must patch to 7.2.12, and 7.0 deployments require upgrading to 7.0.18. FortiOS 6.4 installations need the upcoming 6.4.17 release.
FortiSwitchManager installations running 7.2.0-7.2.6 should upgrade to 7.2.7, while version 7.0 users need 7.0.6 or above.
FortiSASE versions 25.2.b have been remediated in 25.2.c, with customers automatically protected. FortiSASE 25.1.a requires migration to fixed releases. Earlier versions remain unaffected.
Organizations unable to patch immediately should implement temporary workarounds by removing “fabric” access from affected interfaces or restricting CAPWAP-CONTROL access through local-in firewall policies.
Administrators can disable fabric service enumeration by modifying interface configurations or blocking UDP ports 5246-5249 through firewall rules.
Given the high severity rating and remote exploitability, affected organizations should prioritize patching using Fortinet’s official upgrade tool.
Defenders should also review firewall logs for suspicious requests targeting the cw_acd daemon and monitor for unauthorized code execution indicators on Fortinet security appliances.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.