CVE-2025-57740 Overview
CVE-2025-57740 is a heap-based buffer overflow vulnerability [CWE-122] affecting Fortinet FortiOS, FortiPAM, and FortiProxy. The flaw resides in the Remote Desktop Protocol (RDP) bookmark connection handling. An authenticated user can send crafted requests to trigger memory corruption and execute unauthorized code on the affected appliance.
The vulnerability impacts FortiOS versions 7.6.2 and below, 7.4.7 and below, 7.2.10 and below, and all versions of 7.0 and 6.4. FortiPAM versions 1.5.0, 1.4.2 and below, and all versions of 1.3, 1.2, 1.1, and 1.0 are affected. FortiProxy versions 7.6.2 and below, 7.4.3 and below, and all versions of 7.2 and 7.0 are also vulnerable.
Critical Impact
An authenticated attacker can exploit a crafted RDP bookmark connection to corrupt heap memory and execute arbitrary code on the appliance, compromising confidentiality, integrity, and availability.
Affected Products
- Fortinet FortiOS (7.6.2 and below, 7.4.7 and below, 7.2.10 and below, 7.0 all versions, 6.4 all versions)
- Fortinet FortiPAM (1.5.0, 1.4.2 and below, 1.3 / 1.2 / 1.1 / 1.0 all versions)
- Fortinet FortiProxy (7.6.2 and below, 7.4.3 and below, 7.2 / 7.0 all versions)
Discovery Timeline
- 2025-10-14 - CVE-2025-57740 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2025-57740
Vulnerability Analysis
The vulnerability is a heap-based buffer overflow classified as [CWE-122]. It exists in the RDP bookmark connection feature exposed through the SSL VPN and proxy interfaces on affected Fortinet products. When the appliance processes a crafted RDP bookmark connection request, it writes data beyond the bounds of a heap-allocated buffer.
Exploitation requires an authenticated session, limiting opportunistic attacks but not insider or post-compromise scenarios. The attack vector is network-based with low complexity, meaning a stolen or low-privilege credential is sufficient to reach the vulnerable code path. Successful exploitation yields code execution in the context of the vulnerable service.
Root Cause
The root cause is improper validation of input size or structure when constructing or parsing RDP bookmark connection data on the heap. The affected component allocates a buffer of fixed or expected size and then copies attacker-influenced fields without enforcing length boundaries. Memory adjacent to the buffer can be overwritten, including heap metadata or function pointers.
Attack Vector
An attacker requires valid credentials on the FortiOS, FortiPAM, or FortiProxy interface that exposes RDP bookmarks. The attacker submits a crafted request that defines or invokes an RDP bookmark with malicious field values. The malformed connection parameters trigger the overflow during processing on the appliance.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Fortinet Security Advisory FG-IR-25-756 for vendor technical details.
Detection Methods for CVE-2025-57740
Indicators of Compromise
- Unexpected crashes, restarts, or core dumps from FortiOS, FortiPAM, or FortiProxy services handling SSL VPN web portal or RDP bookmark functionality.
- Anomalous authenticated sessions creating, modifying, or invoking RDP bookmarks from unusual source IPs or at off-hours.
- HTTP/HTTPS requests to RDP bookmark endpoints containing oversized or malformed bookmark fields.
Detection Strategies
- Monitor Fortinet device logs for crash events, segmentation faults, and watchdog-triggered service restarts correlated with RDP bookmark activity.
- Inspect web portal access logs for repeated RDP bookmark requests from a single authenticated account, particularly with abnormal payload sizes.
- Correlate administrative configuration changes to RDP bookmarks with subsequent connection attempts to identify weaponized entries.
Monitoring Recommendations
- Forward FortiOS, FortiPAM, and FortiProxy logs to a centralized SIEM and alert on service crashes or repeated 5xx responses on SSL VPN endpoints.
- Track authentication anomalies on appliance accounts, including unusual geolocation, impossible travel, or credential reuse from previously compromised sources.
- Review version banners against the patched releases listed in the Fortinet advisory and alert when unpatched appliances are detected.
How to Mitigate CVE-2025-57740
Immediate Actions Required
- Upgrade affected appliances to fixed versions per the Fortinet Security Advisory FG-IR-25-756.
- Audit and reduce the number of accounts permitted to access the SSL VPN web portal and RDP bookmark functionality.
- Rotate credentials and enforce multi-factor authentication for all administrative and VPN users on affected devices.
Patch Information
Fortinet has published advisory FG-IR-25-756 with the list of fixed versions for FortiOS, FortiPAM, and FortiProxy. Administrators should upgrade FortiOS branches 7.6, 7.4, and 7.2 to the vendor-specified fixed releases, and migrate from 7.0 and 6.4 branches, which contain the issue in all versions. FortiProxy 7.6 and 7.4 must be moved to fixed releases, while 7.2 and 7.0 require migration. FortiPAM users on 1.5.0 and the 1.4, 1.3, 1.2, 1.1, and 1.0 branches must upgrade to fixed builds.
Workarounds
- Disable the RDP bookmark feature on the SSL VPN web portal if it is not required for business operations.
- Restrict SSL VPN and management interface exposure to trusted source networks using firewall policies and local-in policies.
- Limit user group permissions so only essential users can create or invoke RDP bookmark entries until patching is complete.
# Configuration example: disable RDP bookmarks on SSL VPN web portal
config vpn ssl web portal
edit "full-access"
set bookmark-group-allowed disable
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
