Fortinet has issued an urgent advisory revealing a critical weakness in its FortiPAM and FortiSwitch Manager products that could allow attackers to sidestep authentication entirely through brute-force methods.
Tracked as CVE-2025-49201, the flaw stems from a weak authentication mechanism in the Web Application Delivery (WAD) and Graphical User Interface (GUI) components, classified under CWE-1390.
With a CVSS v3.1 score of 7.4, rated as high severity, the vulnerability poses risks of unauthorized code execution or command injection, potentially granting remote attackers full control over affected systems.
The issue affects multiple versions of FortiPAM, Fortinet’s privileged access management solution, and select releases of FortiSwitch Manager, which handles network switch configurations.
Specifically, FortiPAM versions 1.5.0, 1.4.0 through 1.4.2, and all versions of 1.3, 1.2, 1.1, and 1.0 are vulnerable. For FortiSwitch Manager, versions 7.2.0 through 7.2.4 in the 7.2 series are impacted, while the 7.0 series remains unaffected.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiPAM 1.7 | Not affected | Not Applicable |
| FortiPAM 1.6 | Not affected | Not Applicable |
| FortiPAM 1.5 | 1.5.0 | Upgrade to 1.5.1 or above |
| FortiPAM 1.4 | 1.4.0 through 1.4.2 | Upgrade to 1.4.3 or above |
| FortiPAM 1.3 | 1.3 all versions | Migrate to a fixed release |
| FortiPAM 1.2 | 1.2 all versions | Migrate to a fixed release |
| FortiPAM 1.1 | 1.1 all versions | Migrate to a fixed release |
| FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiSwitchManager 7.0 | Not affected | Not Applicable |
Attackers require network access and could exploit this over time with persistent brute-force attempts, though no public exploits have surfaced yet.
Fortinet urges immediate patching to mitigate threats. Users on vulnerable FortiPAM 1.5 should upgrade to 1.5.1 or later, while those on 1.4 need version 1.4.3 or above. For older branches like 1.3 and below, migration to a fixed release is essential.
FortiSwitch Manager 7.2 users must update to 7.2.5 or higher. The company emphasizes monitoring for unusual login attempts and implementing multi-factor authentication as interim defenses.
Discovered internally by Gwendal Guégniaud from Fortinet’s Product Security team, the vulnerability was published on October 14, 2025, under internal reference FG-IR-25-010.
This disclosure comes amid rising concerns over supply chain attacks targeting network management tools, underscoring the need for swift updates in enterprise environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
