CVE-2025-53844 Overview
CVE-2025-53844 is an out-of-bounds write vulnerability [CWE-787] affecting multiple versions of Fortinet FortiOS. The flaw allows an authenticated attacker with low privileges to execute unauthorized code or commands by sending specially crafted packets to a vulnerable device. The vulnerability impacts FortiOS 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and 7.2.0 through 7.2.11. Fortinet has published guidance under advisory FG-IR-26-123.
Critical Impact
Successful exploitation enables remote code execution on FortiOS appliances, compromising confidentiality, integrity, and availability of perimeter security infrastructure.
Affected Products
- Fortinet FortiOS 7.6.0 through 7.6.3
- Fortinet FortiOS 7.4.0 through 7.4.8
- Fortinet FortiOS 7.2.0 through 7.2.11
Discovery Timeline
- 2026-05-12 - CVE-2025-53844 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2025-53844
Vulnerability Analysis
The vulnerability is an out-of-bounds write condition in FortiOS, classified under [CWE-787]. An attacker with low-level authenticated access can transmit specially crafted network packets that trigger a write operation past the bounds of an allocated buffer. The corrupted memory region can be leveraged to alter control flow and execute attacker-supplied instructions.
FortiOS appliances serve as perimeter security devices including next-generation firewalls, VPN concentrators, and SD-WAN gateways. Code execution on these systems grants attackers a privileged position for traffic interception, lateral movement, and persistence within the protected network.
The attack vector is network-based with low complexity. Exploitation requires only low privileges and no user interaction, making it suitable for use by authenticated attackers who have obtained limited management credentials or compromised internal accounts.
Root Cause
The root cause is improper validation of input length or structure when parsing incoming packets. The vulnerable code path writes data beyond the boundaries of a destination buffer, corrupting adjacent memory. Fortinet has not publicly disclosed the specific component or function affected. Refer to the Fortinet Security Advisory FG-IR-26-123 for component-specific details.
Attack Vector
An attacker authenticates to the FortiOS device with low privileges and transmits crafted packets to a vulnerable service. The malformed packet triggers the out-of-bounds write, corrupting memory structures used by the target process. The attacker then redirects execution to deliver arbitrary code or commands in the context of the compromised service.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is low, indicating limited near-term exploitation forecasting.
Detection Methods for CVE-2025-53844
Indicators of Compromise
- Unexpected process crashes, restarts, or kernel panics on FortiOS appliances captured in crashlog output.
- Anomalous outbound network connections originating from the FortiOS management plane to unknown hosts.
- Configuration changes, new administrator accounts, or unexpected firewall policy modifications outside scheduled maintenance windows.
- Authenticated management sessions from unusual source IP addresses or geolocations.
Detection Strategies
- Inspect FortiOS event and crash logs for repeated segmentation faults or memory faults tied to packet-parsing services.
- Monitor administrative authentication logs for low-privileged accounts initiating unusual API or CLI activity.
- Compare running configurations against known-good baselines to detect unauthorized modifications.
- Forward FortiOS syslog data to a centralized SIEM for correlation against threat intelligence feeds.
Monitoring Recommendations
- Enable verbose logging on FortiOS management interfaces and restrict log retention to support forensic review.
- Alert on any administrative session originating outside approved management networks or jump hosts.
- Track firmware version inventory across the fleet to verify patch compliance after remediation.
How to Mitigate CVE-2025-53844
Immediate Actions Required
- Identify all FortiOS appliances running versions 7.6.0-7.6.3, 7.4.0-7.4.8, or 7.2.0-7.2.11 and prioritize them for patching.
- Apply the fixed FortiOS release as specified in Fortinet Security Advisory FG-IR-26-123.
- Rotate administrative credentials and API tokens on devices that may have been exposed to untrusted networks.
- Audit administrator accounts and remove unused or low-privilege accounts that are no longer required.
Patch Information
Fortinet has issued remediation guidance in advisory FG-IR-26-123. Administrators should upgrade affected FortiOS instances to the fixed versions identified by Fortinet. Consult the Fortinet Security Advisory FG-IR-26-123 for the specific patched build numbers and upgrade paths.
Workarounds
- Restrict management plane access to trusted administrative networks using trusthost configurations.
- Disable unused management protocols and services on internet-facing interfaces.
- Enforce multi-factor authentication for all administrative accounts to reduce the risk of credential abuse.
- Place FortiOS management interfaces behind a dedicated out-of-band network segment.
# Configuration example: restrict admin access to trusted networks
config system admin
edit "admin"
set trusthost1 10.10.0.0 255.255.255.0
set trusthost2 192.168.50.0 255.255.255.0
next
end
# Disable HTTP/HTTPS administrative access on WAN interface
config system interface
edit "wan1"
unset allowaccess
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
