- 265/2025
- Critical
Fortinet has released security updates to fix several vulnerabilities across multiple Fortinet products.
The addressed vulnerabilities could allow the attacker to perform denial of service attacks, conduct cross-site scripting attacks, gain elevated privileges, obtain sensitive information, manipulate files, and write arbitrary files via specific HTTP or HTTPS commands, bypass the FortiCloud SSO login authentication via a crafted SAML message, or execute arbitrary code or commands and gain access to the affected product.
Sample of the addressed vulnerabilities:
1. Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager Security Bypass Vulnerability (CVE-2025-59718):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
2. Fortinet FortiVoice Directory Traversal Vulnerability (CVE-2025-60024):
- CVSS: 7.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: File Manipulation
Sample of the affected products:
- FortiSOAR on-premise 7.4 all versions.
- FortiPAM 1.4 all versions.
- FortiProxy version 7.2.0 through 7.2.11.
- FortiOS version 7.4.0 through 7.4.3.
- FortiSwitchManager version 7.2.0 through 7.2.6.
- FortiVoice version 6.4, all versions.
- FortiAnalyzer version 7.4.0 through 7.4.2.
- FortiManager version 7.4.0 through 7.4.2.
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.