T
Threats
Fortinet FortiSIEM & FortiOS Critical Vulnerabilities
Overview
CVE: CVE-2025-64155, CVE-2025-25249
Severity: Critical
Date: 14 Jan 2026
Summary
Fortinet has released urgent security updates for FortiSIEM and FortiOS to address critical vulnerabilities. CVE-2025-64155 allows unauthenticated remote code execution as root, while CVE-2025-25249 permits arbitrary code execution via the cw_acd daemon.
Affected Versions
FortiSIEM (CVE-2025-64155): 7.4.0, 7.3.0 through 7.3.4, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, 6.7.0 through 6.7.10.
FortiOS (CVE-2025-25249): 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17, 6.4.0 through 6.4.16.
FortiSwitchManager (CVE-2025-25249): 7.2.0 through 7.2.6, 7.0.0 through 7.0.5.
Vulnerability Breakdown
CVE-2025-64155 – Unauthenticated Remote Command Injection
Severity: Critical
CVSS: 9.4
Description: An improper neutralization of special elements used in an OS command in FortiSIEM allows an attacker to execute unauthorized code or commands via crafted TCP requests.
Impact: Remote Code Execution (RCE) as root.
Conditions: Unauthenticated access to the target system.
Notes: Allows for remote rooting of the FortiSIEM.
CVE-2025-25249 – Heap-based Buffer Overflow
Severity: High
CVSS: 7.4
Description: A heap-based buffer overflow in the FortiOS and FortiSwitchManager cw_acd daemon.
Impact: Execute arbitrary code or commands.
Conditions: Remote unauthenticated attacker via specifically crafted requests.
Notes: Affects the cw_acd daemon.
Mitigation
Upgrade to the latest versions provided by Fortinet:
FortiSIEM: Upgrade to fixed release.
FortiOS: Upgrade to 7.6.4, 7.4.9, 7.2.12, 7.0.18, 6.4.17 or above.
FortiSwitchManager: Upgrade to 7.2.7, 7.0.6 or above.
Workaround (CVE-2025-25249):
Remove “fabric” access for interfaces or block CAPWAP-CONTROL access to port 5246-5249.
Summary for IT Teams
Products: Fortinet FortiSIEM, FortiOS, FortiSwitchManager
Threat Level: Critical, CVSS 9.4
Action Required: Patch immediately.
