A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.7, FortiNDR 7.2.0 through 7.2.4, FortiNDR 7.0.0 through 7.0.6, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0.0 through 7.0.5, FortiRecorder 6.4.0 through 6.4.5, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6, FortiVoice 6.4.0 through 6.4.10 allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.
An attacker sends a specially crafted HTTP request containing a maliciously constructed hash cookie value. Improper handling of this value causes a stack-based buffer overflow (CWE-121 / CWE-787), which enables overwriting of process memory areas. The attack does not require any authentication or user interaction — network access to the vulnerable HTTP interface is sufficient.
Successful exploitation of the vulnerability allows an attacker to execute arbitrary code or system commands with the privileges of the vulnerable process, which in practice means complete takeover of the device.
Immediately apply patches available from the manufacturer in accordance with the official Fortinet security advisory (FG-IR-25-254) available at https://fortiguard.fortinet.com/psirt/FG-IR-25-254. Until the patch is implemented, consider restricting access to HTTP interfaces of vulnerable devices to trusted IP addresses only and increase monitoring of network traffic.
FortiCamera 1.1 (all versions), FortiCamera 2.0 (all versions), FortiCamera 2.1.0–2.1.3; FortiMail 7.0.0–7.0.8, 7.2.0–7.2.7, 7.4.0–7.4.4, 7.6.0–7.6.2; FortiNDR 7.0.0–7.0.6, 7.2.0–7.2.4, 7.4.0–7.4.7, 7.6.0; FortiRecorder 6.4.0–6.4.5, 7.0.0–7.0.5, 7.2.0–7.2.3; FortiVoice 6.4.0–6.4.10, 7.0.0–7.0.6, 7.2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet Forticamera
HWFortinetwszystkie wersjeFortinet Forticamera Firmware
OSFortinet1.1.0 – 1.1.52.0.0 – 2.1.3Fortinet Fortimail
APPFortinet7.6.0 – 7.6.3 (bez)7.0.0 – 7.0.9 (bez)7.2.0 – 7.2.8 (bez)7.4.0 – 7.4.5 (bez)Fortinet Fortindr
APPFortinet1.1.01.2.01.3.01.4.01.5.07.1.07.1.17.6.07.0.0 – 7.0.7 (bez)7.4.0 – 7.4.8 (bez)7.2.0 – 7.2.5 (bez)Fortinet Fortirecorder
APPFortinet6.4.0 – 6.4.6 (bez)7.0.0 – 7.0.6 (bez)7.2.0 – 7.2.4 (bez)Fortinet Fortivoice
APPFortinet7.2.06.4.0 – 6.4.11 (bez)7.0.0 – 7.0.7 (bez)
CISA KEV — detailsi
- Vendori
- Fortinet ↗
- Producti
- Multiple Products
- Added to KEVi
- May 14, 2025
- Remediation deadline (US Federal)i
- June 4, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
Related vulnerabilities
FortiMail: Pominięcie uwierzytelnienia admina przez RADIUS i remote_wildcard
An improper authentication vulnerability in FortiMail before 7.0.1 may allow a remote attacker to efficiently ...
Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4...
An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntrepris...
An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89...