Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67604

CVE-2025-67604: Fortinet FortiAnalyzer DoS Vulnerability

CVE-2025-67604 is a denial-of-service vulnerability in Fortinet FortiAnalyzer that allows authenticated attackers to cause system hangs through crafted HTTP requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-67604 Overview

CVE-2025-67604 is a denial-of-service vulnerability affecting Fortinet FortiAnalyzer and FortiManager appliances. The flaw stems from the use of a potentially dangerous function [CWE-676] in the HTTP request handler. An authenticated attacker can send multiple specially crafted HTTP requests to trigger crashes that result in a system hang.

Exploitation depends on internal lock alignment that is outside the attacker's control, which raises attack complexity. Successful exploitation disrupts log aggregation, reporting, and centralized management functions provided by these appliances.

Critical Impact

An authenticated attacker can hang FortiAnalyzer or FortiManager appliances, interrupting centralized security log analysis and device management across affected Fortinet deployments.

Affected Products

  • Fortinet FortiAnalyzer 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, and all versions of 7.2, 7.0, and 6.4
  • Fortinet FortiManager 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, and all versions of 7.2, 7.0, and 6.4
  • Deployments exposing the management HTTP/HTTPS interface to authenticated users

Discovery Timeline

  • 2026-05-12 - CVE-2025-67604 published to NVD
  • 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2025-67604

Vulnerability Analysis

The vulnerability resides in the HTTP request processing path of FortiAnalyzer and FortiManager. According to Fortinet's advisory, the affected code uses a potentially dangerous function that does not adequately handle concurrent access conditions. When multiple specially crafted HTTP requests arrive in sequence, the handler can crash and force the appliance into a hung state.

The trigger condition depends on the alignment of internal locks between worker threads or processes. Because lock state is determined by runtime scheduling and existing system load, the attacker cannot reliably force the precise timing. This dependency raises attack complexity but does not eliminate the risk in production environments handling high request volumes.

A successful crash interrupts the appliance until it is restarted, which removes centralized logging, correlation, and policy push capabilities for the duration of the outage.

Root Cause

The issue is classified under [CWE-676] Use of Potentially Dangerous Function. The HTTP handler invokes a function whose behavior under concurrent execution is unsafe when internal locking primitives reach a specific state. The combination of the dangerous call and the lock alignment produces a fatal condition in the service process.

Attack Vector

Exploitation requires network access to the management interface and valid authentication credentials. The attacker issues multiple crafted HTTP requests targeting the vulnerable handler. No user interaction is required. Confidentiality and integrity are not affected; the impact is limited to availability through process crash and system hang.

No public proof-of-concept or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-67604

Indicators of Compromise

  • Unexpected restarts or hang conditions on FortiAnalyzer or FortiManager processes handling HTTP requests
  • Authenticated sessions sending repeated, atypical HTTP request bursts to administrative endpoints
  • Gaps in log ingestion or device management heartbeats coinciding with management plane unresponsiveness

Detection Strategies

  • Monitor administrative HTTP/HTTPS access logs for high-frequency request patterns from a single authenticated session
  • Alert on FortiAnalyzer and FortiManager crash events, service restarts, and watchdog-triggered reboots
  • Correlate authentication events with subsequent appliance availability anomalies to identify suspicious sequences

Monitoring Recommendations

  • Track appliance uptime, CPU saturation, and HTTP worker process state through SNMP or syslog forwarding
  • Forward FortiAnalyzer and FortiManager system logs to an external SIEM for correlation against admin activity
  • Establish baselines for normal API and GUI request volumes per administrator account to surface deviations

How to Mitigate CVE-2025-67604

Immediate Actions Required

  • Review the FortiGuard Security Advisory FG-IR-26-137 and apply the fixed releases identified by Fortinet
  • Restrict administrative interface access to trusted management networks using trusted hosts configuration
  • Audit administrator accounts and remove unused or shared credentials that could be abused to reach the vulnerable handler

Patch Information

Fortinet has published guidance in advisory FG-IR-26-137. Administrators should upgrade FortiAnalyzer and FortiManager to the fixed versions listed by the vendor. Branches before 7.4 do not receive feature fixes; consult the advisory for migration paths from 7.2, 7.0, and 6.4.

Workarounds

  • Limit access to the GUI and JSON API to a small set of administrator source addresses via the trusted hosts allow list
  • Enforce multi-factor authentication for all administrative accounts to reduce the credential exposure surface
  • Rate-limit upstream proxies or load balancers in front of the management interface to throttle abusive request bursts
bash
# Configuration example: restrict admin access using trusted hosts
config system admin
  edit "admin"
    set trusthost1 10.10.0.0 255.255.255.0
    set trusthost2 192.168.50.10 255.255.255.255
  next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.