Fortinet FortiManager vulnerability allows remote command execution
Take action: If you are using Fortinet FortiManager, plan a quick patch. In the interim, make sure the HTTP/HTTPS interface is isolated from the internet or disable fgtupdates in the system interface settings to close the attack vector.
Learn More
Fortinet has disclosed a high-severity vulnerability in its FortiManager platform that allows attackers to seize control of FortiManager, enabling them to steal sensitive configurations, manipulate firewall rules, and maintain long-term network access.
The flaw is tracked as CVE-2025-54820 (CVSS score 7.0) - Stack-based buffer overflow (CWE-121) in the FortiManager fgtupdates service. It allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted HTTP requests, allowing them to overwrite memory and execute arbitrary instructions. A successful exploit grants the attacker the ability to run unauthorized commands with the privileges of the affected service.
Affected versions of FortiManager are:
- FortiManager 7.4 versions 7.4.0 through 7.4.2
- FortiManager 7.2 versions 7.2.0 through 7.2.10
- FortiManager 6.4 (all versions)
Fortinet confirmed that FortiManager 7.6 and FortiManager Cloud instances are not impacted by this vulnerability and require no immediate action.
Fortinet strongly advises upgrading deployments to patched versions. Organizations should upgrade to FortiManager version 7.4.3 or later, or version 7.2.11 or later, while those on the 6.4 branch should migrate to a supported release.
If immediate patching is not possible, organizations can mitigate the risk by disabling the fgtupdates service on all system interfaces using the command-line interface to block the attack vector.
