Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-53844

CVE-2025-53844: Fortinet FortiOS RCE Vulnerability

CVE-2025-53844 is an out-of-bounds write flaw in Fortinet FortiOS that enables attackers to execute unauthorized code via crafted packets. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-53844 Overview

CVE-2025-53844 is an out-of-bounds write vulnerability [CWE-787] affecting multiple versions of Fortinet FortiOS. The flaw allows an authenticated attacker with low privileges to execute unauthorized code or commands by sending specially crafted packets to a vulnerable device. The vulnerability impacts FortiOS 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and 7.2.0 through 7.2.11. Fortinet has published guidance under advisory FG-IR-26-123.

Critical Impact

Successful exploitation enables remote code execution on FortiOS appliances, compromising confidentiality, integrity, and availability of perimeter security infrastructure.

Affected Products

  • Fortinet FortiOS 7.6.0 through 7.6.3
  • Fortinet FortiOS 7.4.0 through 7.4.8
  • Fortinet FortiOS 7.2.0 through 7.2.11

Discovery Timeline

  • 2026-05-12 - CVE-2025-53844 published to NVD
  • 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2025-53844

Vulnerability Analysis

The vulnerability is an out-of-bounds write condition in FortiOS, classified under [CWE-787]. An attacker with low-level authenticated access can transmit specially crafted network packets that trigger a write operation past the bounds of an allocated buffer. The corrupted memory region can be leveraged to alter control flow and execute attacker-supplied instructions.

FortiOS appliances serve as perimeter security devices including next-generation firewalls, VPN concentrators, and SD-WAN gateways. Code execution on these systems grants attackers a privileged position for traffic interception, lateral movement, and persistence within the protected network.

The attack vector is network-based with low complexity. Exploitation requires only low privileges and no user interaction, making it suitable for use by authenticated attackers who have obtained limited management credentials or compromised internal accounts.

Root Cause

The root cause is improper validation of input length or structure when parsing incoming packets. The vulnerable code path writes data beyond the boundaries of a destination buffer, corrupting adjacent memory. Fortinet has not publicly disclosed the specific component or function affected. Refer to the Fortinet Security Advisory FG-IR-26-123 for component-specific details.

Attack Vector

An attacker authenticates to the FortiOS device with low privileges and transmits crafted packets to a vulnerable service. The malformed packet triggers the out-of-bounds write, corrupting memory structures used by the target process. The attacker then redirects execution to deliver arbitrary code or commands in the context of the compromised service.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is low, indicating limited near-term exploitation forecasting.

Detection Methods for CVE-2025-53844

Indicators of Compromise

  • Unexpected process crashes, restarts, or kernel panics on FortiOS appliances captured in crashlog output.
  • Anomalous outbound network connections originating from the FortiOS management plane to unknown hosts.
  • Configuration changes, new administrator accounts, or unexpected firewall policy modifications outside scheduled maintenance windows.
  • Authenticated management sessions from unusual source IP addresses or geolocations.

Detection Strategies

  • Inspect FortiOS event and crash logs for repeated segmentation faults or memory faults tied to packet-parsing services.
  • Monitor administrative authentication logs for low-privileged accounts initiating unusual API or CLI activity.
  • Compare running configurations against known-good baselines to detect unauthorized modifications.
  • Forward FortiOS syslog data to a centralized SIEM for correlation against threat intelligence feeds.

Monitoring Recommendations

  • Enable verbose logging on FortiOS management interfaces and restrict log retention to support forensic review.
  • Alert on any administrative session originating outside approved management networks or jump hosts.
  • Track firmware version inventory across the fleet to verify patch compliance after remediation.

How to Mitigate CVE-2025-53844

Immediate Actions Required

  • Identify all FortiOS appliances running versions 7.6.0-7.6.3, 7.4.0-7.4.8, or 7.2.0-7.2.11 and prioritize them for patching.
  • Apply the fixed FortiOS release as specified in Fortinet Security Advisory FG-IR-26-123.
  • Rotate administrative credentials and API tokens on devices that may have been exposed to untrusted networks.
  • Audit administrator accounts and remove unused or low-privilege accounts that are no longer required.

Patch Information

Fortinet has issued remediation guidance in advisory FG-IR-26-123. Administrators should upgrade affected FortiOS instances to the fixed versions identified by Fortinet. Consult the Fortinet Security Advisory FG-IR-26-123 for the specific patched build numbers and upgrade paths.

Workarounds

  • Restrict management plane access to trusted administrative networks using trusthost configurations.
  • Disable unused management protocols and services on internet-facing interfaces.
  • Enforce multi-factor authentication for all administrative accounts to reduce the risk of credential abuse.
  • Place FortiOS management interfaces behind a dedicated out-of-band network segment.
bash
# Configuration example: restrict admin access to trusted networks
config system admin
    edit "admin"
        set trusthost1 10.10.0.0 255.255.255.0
        set trusthost2 192.168.50.0 255.255.255.0
    next
end

# Disable HTTP/HTTPS administrative access on WAN interface
config system interface
    edit "wan1"
        unset allowaccess
    next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.