Fortinet has disclosed a high-severity stack-based buffer overflow vulnerability in its FortiManager platform that could allow remote unauthenticated attackers to execute unauthorized commands.
Tracked as CVE-2025-54820 and assigned a CVSSv3 score of 7.0, the flaw poses a significant risk to enterprise network management environments running affected versions of FortiManager.
The vulnerability resides in the fgtupdates service of FortiManager. A remote unauthenticated attacker can exploit this flaw by sending specially crafted requests to the service, potentially enabling unauthorized code execution on the targeted system.
The flaw is that conditional exploitation is only possible if the fgtupdates service is actively enabled on the device. Additionally, successful exploitation requires the attacker to bypass existing stack protection mechanisms, which increases attack complexity and contributes to a High rather than Critical CVSS rating.
Fortinet published the advisory on March 10, 2026, under internal reference FG-IR-26-098. The vulnerability was responsibly disclosed by researcher catalpa from Dbappsecurity Co., Ltd.
Affected Versions
The following FortiManager versions are confirmed affected:
| Version | Affected Builds | Recommended Action |
|---|---|---|
| FortiManager 7.6 | Not affected | Not applicable |
| FortiManager 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiManager 6.4 | All versions | Migrate to a fixed release |
Notably, FortiManager Cloud is not affected by this vulnerability, limiting the scope to on-premises deployments.
Mitigation and Workaround
Fortinet strongly recommends upgrading to the respective patched releases as the primary remediation path. For organizations unable to apply patches immediately, Fortinet advises disabling the fgtupdates service as a temporary workaround.
Administrators can remove fgtupdates from the service access list on the relevant interface using the following CLI configuration:
textconfig system interface
edit
set serviceaccess
end
Ensure that fgtupdates is not listed among the enabled services on any exposed interface.
FortiManager is widely deployed across enterprise and government environments to centrally manage Fortinet security fabric devices. Any vulnerability enabling unauthenticated remote code execution, even under specific conditions, represents a serious attack surface.
Threat actors increasingly target network management platforms as pivot points for lateral movement and persistent access across managed infrastructure.
Security teams should audit active FortiManager services immediately, apply available patches, and monitor for anomalous access to the fgtupdates service endpoint.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
