Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54973

CVE-2025-54973: Fortinet FortiAnalyzer Race Condition Flaw

CVE-2025-54973 is a race condition vulnerability in Fortinet FortiAnalyzer that allows attackers to bypass FortiCloud SSO authorization. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-54973 Overview

CVE-2025-54973 is a race condition vulnerability [CWE-362] affecting Fortinet FortiAnalyzer. The flaw stems from concurrent execution using a shared resource with improper synchronization. An attacker can attempt to win a race condition to bypass FortiCloud Single Sign-On (SSO) authorization by sending crafted FortiCloud SSO requests. Successful exploitation impacts the integrity of the affected system without requiring authentication, though user interaction and high attack complexity limit practical exploitation.

Critical Impact

Attackers who win the race condition can bypass FortiCloud SSO authorization checks, gaining unauthorized access to FortiAnalyzer functionality reserved for authenticated administrators.

Affected Products

  • Fortinet FortiAnalyzer 7.6.0 through 7.6.2
  • Fortinet FortiAnalyzer 7.4.0 through 7.4.6
  • Fortinet FortiAnalyzer 7.2.0 through 7.2.10
  • Fortinet FortiAnalyzer versions before 7.0.13

Discovery Timeline

  • 2025-10-14 - CVE-2025-54973 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-54973

Vulnerability Analysis

CVE-2025-54973 is classified under [CWE-362] as a concurrent execution using shared resource with improper synchronization vulnerability. FortiAnalyzer processes FortiCloud SSO authorization requests through code paths that share state without adequate locking or atomicity guarantees. Attackers who send multiple crafted SSO requests in rapid succession can exploit the timing window between authorization checks and their enforcement.

The vulnerability specifically affects the FortiCloud SSO authorization flow. FortiAnalyzer is a centralized log analytics and reporting platform used across managed Fortinet deployments, meaning successful exploitation exposes centralized security telemetry to unauthorized parties. The EPSS score of 0.294% reflects the technical difficulty of consistently winning the race window.

Root Cause

The root cause lies in improper synchronization within the FortiCloud SSO request handling logic. When multiple SSO authorization checks execute concurrently, shared state can be read or modified between the check and the corresponding privileged action. This time-of-check to time-of-use (TOCTOU) style flaw permits an unauthorized request to be processed as if it had passed authorization.

Attack Vector

Exploitation requires network access to the FortiAnalyzer management interface and user interaction, likely to initiate a legitimate SSO flow that the attacker races against. The attacker sends crafted FortiCloud SSO requests designed to race the authorization logic. Consistent success requires precise timing, which contributes to the high attack complexity rating. No prior authentication is required, but the attacker must control or observe the timing of an SSO transaction to reliably win the race.

No public proof-of-concept exploit has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Fortinet PSIRT Advisory FG-IR-25-198 for technical guidance from the vendor.

Detection Methods for CVE-2025-54973

Indicators of Compromise

  • Bursts of repeated or near-simultaneous FortiCloud SSO authorization requests originating from the same source IP within short time intervals.
  • Successful SSO authorization events immediately followed by administrative actions inconsistent with the associated user identity.
  • Unexplained FortiCloud session establishments lacking a corresponding completed interactive user login.
  • Anomalous authorization responses in FortiAnalyzer logs referencing FortiCloud SSO endpoints.

Detection Strategies

  • Correlate FortiAnalyzer authentication logs against expected SSO transaction volumes to flag statistical anomalies.
  • Monitor for parallel or duplicate SSO callback requests referencing the same session or token identifier.
  • Alert on privileged FortiAnalyzer actions that occur without a preceding, fully completed SSO authentication chain.

Monitoring Recommendations

  • Forward FortiAnalyzer administrative and SSO logs to a centralized SIEM for behavioral baselining.
  • Enable verbose logging on FortiCloud SSO endpoints to capture request timing and source metadata.
  • Track administrator session creation rates and investigate deviations from historical norms.

How to Mitigate CVE-2025-54973

Immediate Actions Required

  • Upgrade FortiAnalyzer to a fixed release as documented in Fortinet PSIRT Advisory FG-IR-25-198.
  • Restrict network exposure of the FortiAnalyzer management interface to trusted administrative networks only.
  • Review recent FortiCloud SSO authorization logs for anomalous or parallel request patterns.

Patch Information

Fortinet has released fixed versions addressing CVE-2025-54973. Administrators running FortiAnalyzer 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, or versions before 7.0.13 should upgrade to a fixed release per the vendor advisory. Refer to Fortinet PSIRT Advisory FG-IR-25-198 for exact fixed version identifiers and upgrade procedures.

Workarounds

  • Limit access to the FortiAnalyzer management interface using firewall rules or trusted host settings until patching is complete.
  • Disable FortiCloud SSO integration temporarily if it is not operationally required.
  • Enforce multi-factor authentication (MFA) on identity providers integrated with FortiCloud SSO to raise the cost of exploitation.
bash
# Example: restrict FortiAnalyzer administrative access to trusted hosts
config system admin
    edit "admin"
        set trusthost1 10.0.0.0 255.255.255.0
    next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.