CVE-2025-67604 Overview
CVE-2025-67604 is a denial-of-service vulnerability affecting Fortinet FortiAnalyzer and FortiManager appliances. The flaw stems from the use of a potentially dangerous function [CWE-676] in the HTTP request handler. An authenticated attacker can send multiple specially crafted HTTP requests to trigger crashes that result in a system hang.
Exploitation depends on internal lock alignment that is outside the attacker's control, which raises attack complexity. Successful exploitation disrupts log aggregation, reporting, and centralized management functions provided by these appliances.
Critical Impact
An authenticated attacker can hang FortiAnalyzer or FortiManager appliances, interrupting centralized security log analysis and device management across affected Fortinet deployments.
Affected Products
- Fortinet FortiAnalyzer 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, and all versions of 7.2, 7.0, and 6.4
- Fortinet FortiManager 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, and all versions of 7.2, 7.0, and 6.4
- Deployments exposing the management HTTP/HTTPS interface to authenticated users
Discovery Timeline
- 2026-05-12 - CVE-2025-67604 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2025-67604
Vulnerability Analysis
The vulnerability resides in the HTTP request processing path of FortiAnalyzer and FortiManager. According to Fortinet's advisory, the affected code uses a potentially dangerous function that does not adequately handle concurrent access conditions. When multiple specially crafted HTTP requests arrive in sequence, the handler can crash and force the appliance into a hung state.
The trigger condition depends on the alignment of internal locks between worker threads or processes. Because lock state is determined by runtime scheduling and existing system load, the attacker cannot reliably force the precise timing. This dependency raises attack complexity but does not eliminate the risk in production environments handling high request volumes.
A successful crash interrupts the appliance until it is restarted, which removes centralized logging, correlation, and policy push capabilities for the duration of the outage.
Root Cause
The issue is classified under [CWE-676] Use of Potentially Dangerous Function. The HTTP handler invokes a function whose behavior under concurrent execution is unsafe when internal locking primitives reach a specific state. The combination of the dangerous call and the lock alignment produces a fatal condition in the service process.
Attack Vector
Exploitation requires network access to the management interface and valid authentication credentials. The attacker issues multiple crafted HTTP requests targeting the vulnerable handler. No user interaction is required. Confidentiality and integrity are not affected; the impact is limited to availability through process crash and system hang.
No public proof-of-concept or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-67604
Indicators of Compromise
- Unexpected restarts or hang conditions on FortiAnalyzer or FortiManager processes handling HTTP requests
- Authenticated sessions sending repeated, atypical HTTP request bursts to administrative endpoints
- Gaps in log ingestion or device management heartbeats coinciding with management plane unresponsiveness
Detection Strategies
- Monitor administrative HTTP/HTTPS access logs for high-frequency request patterns from a single authenticated session
- Alert on FortiAnalyzer and FortiManager crash events, service restarts, and watchdog-triggered reboots
- Correlate authentication events with subsequent appliance availability anomalies to identify suspicious sequences
Monitoring Recommendations
- Track appliance uptime, CPU saturation, and HTTP worker process state through SNMP or syslog forwarding
- Forward FortiAnalyzer and FortiManager system logs to an external SIEM for correlation against admin activity
- Establish baselines for normal API and GUI request volumes per administrator account to surface deviations
How to Mitigate CVE-2025-67604
Immediate Actions Required
- Review the FortiGuard Security Advisory FG-IR-26-137 and apply the fixed releases identified by Fortinet
- Restrict administrative interface access to trusted management networks using trusted hosts configuration
- Audit administrator accounts and remove unused or shared credentials that could be abused to reach the vulnerable handler
Patch Information
Fortinet has published guidance in advisory FG-IR-26-137. Administrators should upgrade FortiAnalyzer and FortiManager to the fixed versions listed by the vendor. Branches before 7.4 do not receive feature fixes; consult the advisory for migration paths from 7.2, 7.0, and 6.4.
Workarounds
- Limit access to the GUI and JSON API to a small set of administrator source addresses via the trusted hosts allow list
- Enforce multi-factor authentication for all administrative accounts to reduce the credential exposure surface
- Rate-limit upstream proxies or load balancers in front of the management interface to throttle abusive request bursts
# Configuration example: restrict admin access using trusted hosts
config system admin
edit "admin"
set trusthost1 10.10.0.0 255.255.255.0
set trusthost2 192.168.50.10 255.255.255.255
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
