High-Severity Remote Code Execution Vulnerability in Fortinet FortiOS and FortiSwitchManager (CVE-2025-25249)
January 19th, 2026
High
%20Allows%20Remote%20Code%20Execution%20via%20V8%20Eng.png)
Our Cyber Threat Intelligence Unit is tracking a high-severity remote code execution (RCE) vulnerability affecting Fortinet FortiOS and FortiSwitchManager, identified as CVE-2025-25249. Publicly disclosed on January 13, 2026, the vulnerability resides in the cw_acd daemon, where improper bounds checking allows specially crafted network packets to trigger a heap-based buffer overflow. Successful exploitation may allow unauthenticated remote attackers to execute arbitrary code or commands on affected systems. Fortinet has released security updates as part of its January 2026 patch cycle. Given the vulnerability’s network-exposed attack vector and impact on core network infrastructure, organizations running affected Fortinet products should treat this issue as a priority for remediation.
Technical Details
CVE ID: CVE-2025-25249
Severity: High (CVSS 8.1)
Note: NVD currently displays an alternate enriched score of 9.8 (Critical) using a different attack complexity assessment. Fortinet’s CNA score of 8.1 (High) is used as the primary reference.
Vulnerability Type: Heap-based buffer overflow
CWE: CWE-122 (Heap-Based Buffer Overflow)
(NVD additionally maps CWE-787: Out-of-bounds Write)
Affected Component: cw_acd daemon (CAPWAP / fabric-related communications)
Attack Vector:
Remote, network-based
No authentication required
No user interaction required
Triggered via specially crafted packets sent to exposed services handled by the cw_acd daemon
Affected Versions and Fixes:
FortiOS:
FortiOS 7.6: Versions 7.6.0 – 7.6.3 → Upgrade to 7.6.4 or later
FortiOS 7.4: Versions 7.4.0 – 7.4.8 → Upgrade to 7.4.9 or later
FortiOS 7.2: Versions 7.2.0 – 7.2.11 → Upgrade to 7.2.12 or later
FortiOS 7.0: Versions 7.0.0 – 7.0.17 → Upgrade to 7.0.18 or later
FortiOS 6.4: Versions 6.4.0 – 6.4.16 → Upgrade to 6.4.17 or later
FortiSASE:
FortiSASE 25.2: Version 25.2.b → Upgrade to 25.2.c or later
FortiSASE 25.1: Version 25.1.a.2 → Migrate to a fixed/updated release
FortiSwitchManager:
FortiSwitchManager 7.2: Versions 7.2.0 – 7.2.6 → Upgrade to 7.2.7 or later
FortiSwitchManager 7.0: Versions 7.0.0 – 7.0.5 → Upgrade to 7.0.6 or later
Impact
Successful exploitation of CVE-2025-25249 may result in:
Remote Code Execution: Arbitrary code or command execution without authentication
Unauthorized System Control: Manipulation of device configurations or security policies
Service Disruption: Crashes, instability, or traffic interruption affecting network operations
Lateral Movement: Compromised network infrastructure may provide a foothold for further internal compromise
Given FortiOS’s role in perimeter security and traffic inspection, exploitation could have outsized operational and security consequences.
Detection Method
Defenders should consider the following detection and validation approaches:
Network Traffic Analysis: Monitor for malformed or anomalous packets targeting FortiOS or FortiSwitchManager services associated with cw_acd
System and Daemon Logs: Review logs for crashes, segmentation faults, or abnormal restarts of the cw_acd daemon
Behavioral Monitoring: Detect unexpected command execution or anomalous process behavior on FortiGate appliances
Vulnerability Scanning: Identify devices running vulnerable firmware versions and flag unpatched systems
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediately upgrade all affected FortiOS, FortiSwitchManager, and FortiSASE deployments to the fixed versions listed above
Apply temporary mitigations if patching is delayed:
Remove or restrict fabric access
Limit or block CAPWAP-CONTROL exposure where feasible
Restrict management interfaces to trusted networks and administrative users only
Audit configurations for unauthorized changes following patching
Enhance logging and alerting for daemon crashes, abnormal traffic patterns, or unexpected command execution
Conclusion
CVE-2025-25249 is a high-severity heap-based buffer overflow vulnerability affecting Fortinet FortiOS and FortiSwitchManager. It allows unauthenticated remote code execution via specially crafted network traffic. The vulnerability’s network-accessible nature and impact on widely deployed security infrastructure elevate its risk profile in enterprise environments. We urge organizations to patch immediately, reduce exposure, and enhance monitoring to mitigate associated risks.