Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-53845

CVE-2025-53845: Fortinet FortiAnalyzer Info Disclosure

CVE-2025-53845 is an improper authentication flaw in Fortinet FortiAnalyzer that allows unauthenticated attackers to access device information or trigger denial of service. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-53845 Overview

CVE-2025-53845 is an improper authentication vulnerability [CWE-287] affecting Fortinet FortiAnalyzer. The flaw allows an unauthenticated remote attacker to send crafted Optimized Fabric Transfer Protocol (OFTP) requests to the device. Successful exploitation exposes device health and status information or causes a denial of service condition.

The issue affects FortiAnalyzer versions 7.6.0 through 7.6.3 and all versions before 7.4.6. Fortinet published advisory FG-IR-25-378 addressing the flaw.

Critical Impact

Unauthenticated network attackers can retrieve FortiAnalyzer device health and status information or trigger a denial of service through crafted OFTP requests.

Affected Products

  • Fortinet FortiAnalyzer 7.6.0 through 7.6.3
  • Fortinet FortiAnalyzer versions prior to 7.4.6
  • Deployments exposing the OFTP service to untrusted networks

Discovery Timeline

  • 2025-10-14 - CVE-2025-53845 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-53845

Vulnerability Analysis

The vulnerability resides in how FortiAnalyzer handles authentication for OFTP protocol messages. OFTP is used by Fortinet products for log transfer and fabric communication between devices. FortiAnalyzer fails to properly authenticate incoming OFTP requests before processing them.

An attacker with network access to the OFTP listener can craft protocol messages that bypass authentication checks. The impact splits into two outcomes. First, the attacker can retrieve information about device health and operational status. Second, malformed or specially crafted OFTP requests can crash or hang the service, producing a denial of service condition.

The attack requires no user interaction and no prior authentication. Exploitation complexity is low and the attack originates over the network, which increases the exposure risk for internet-facing management appliances.

Root Cause

The root cause is missing or incomplete authentication verification on the OFTP request handler. The service processes protocol elements and returns telemetry before validating the requestor's identity. This design flaw falls under CWE-287 (Improper Authentication).

Attack Vector

The attack vector is network-based. An attacker sends crafted OFTP protocol packets to a reachable FortiAnalyzer instance. No credentials, tokens, or user interaction are required. Attackers on adjacent networks, VPN segments, or internet-facing deployments can reach the vulnerable listener.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Fortinet Security Advisory FG-IR-25-378 for vendor technical details.

Detection Methods for CVE-2025-53845

Indicators of Compromise

  • Unexpected inbound connections to the OFTP service port from unknown or external source IP addresses
  • Repeated OFTP protocol errors, service restarts, or crash entries in FortiAnalyzer system logs
  • Unexplained gaps in log ingestion coinciding with abnormal OFTP traffic patterns
  • Outbound responses containing device health or status data to non-fabric peers

Detection Strategies

  • Monitor FortiAnalyzer daemon logs for OFTP handshake failures and abnormal termination events
  • Deploy network intrusion detection signatures that flag OFTP requests originating from non-authorized fabric members
  • Correlate crash-loop patterns on the OFTP service with source IP address anomalies to identify probing attempts
  • Baseline normal OFTP peer communication and alert on new or unexpected talkers

Monitoring Recommendations

  • Enable verbose logging for FortiAnalyzer fabric protocol handlers and forward events to a centralized SIEM
  • Track availability metrics for FortiAnalyzer services to detect denial of service impact quickly
  • Audit firewall rules protecting the OFTP interface and alert on rule changes that widen exposure
  • Review authentication and connection statistics from FortiAnalyzer for spikes in failed protocol negotiations

How to Mitigate CVE-2025-53845

Immediate Actions Required

  • Upgrade FortiAnalyzer 7.6.x deployments to version 7.6.4 or later per Fortinet guidance
  • Upgrade FortiAnalyzer 7.4.x deployments to version 7.4.6 or later
  • Restrict network access to the OFTP service so only trusted Fortinet fabric peers can reach it
  • Inventory all FortiAnalyzer appliances and confirm patch status through configuration management tooling

Patch Information

Fortinet released fixed builds addressing CVE-2025-53845. Administrators should consult Fortinet Security Advisory FG-IR-25-378 for the definitive list of fixed versions and upgrade paths. Apply patches during a scheduled maintenance window and validate log ingestion after upgrade.

Workarounds

  • Place FortiAnalyzer behind a management firewall that permits OFTP traffic only from authorized FortiGate and Fortinet fabric peers
  • Segment the management network to prevent untrusted hosts from reaching FortiAnalyzer service ports
  • Disable or block external exposure of OFTP interfaces until patches can be applied
  • Enforce strict ACLs on the FortiAnalyzer management interface for all Fortinet fabric protocols
bash
# Example: restrict OFTP access at the perimeter firewall
# Replace <FAZ_IP> with the FortiAnalyzer address and <TRUSTED_CIDR> with authorized peers
iptables -A INPUT -p tcp -d <FAZ_IP> --dport 514 -s <TRUSTED_CIDR> -j ACCEPT
iptables -A INPUT -p tcp -d <FAZ_IP> --dport 514 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.