Authentication Vulnerability in FortiPAM and FortiSwitch Manager Exploited in Targeted Attacks (CVE-2025-49201)
October 27th, 2025
Critical
%20Allows%20Remote%20Code%20Execution%20via%20V8%20Eng.png)
Our Cyber Threat Intelligence Unit is monitoring CVE-2025-49201, an authentication vulnerability affecting the Web Administration Daemon/Graphical User Interface (WAD/GUI) management components of FortiPAM and FortiSwitch Manager. First disclosed in mid-October 2025, this vulnerability allows unauthenticated attackers to send crafted HTTP(S) requests that lead to unauthorized command or code execution on vulnerable devices. Since these products manage privileged network access and core switching infrastructure, successful exploitation could grant adversaries a strong foothold for lateral movement, operational disruption, and ongoing network compromise. Vendors have released patched updates, but unpatched systems remain vulnerable and must be remediated as soon as possible.
Technical Details
Attack Type: Authentication bypass enabling unauthorized command/code execution.
Severity: Critical (9.8)
Fortinet vendor score is 8.1 (High), but we recommend treating this as critical.
CVE ID: CVE-2025-49201
Delivery Method: Exploitation of FortiPAM and FortiSwitch Manager web interfaces.
Technique: Crafted HTTP(S) requests to administrative management endpoints
Affected Products:
FortiPAM: 1.5.0, 1.4.0–1.4.2, All 1.3.x / 1.2.x / 1.1.x / 1.0.x branches.
FortiSwitch Manager: 7.2.0–7.2.4
FortiPAM Fixed Versions: 1.5.1, 1.4.3 (1.6 and 1.7 confirmed not affected).
FortiSwitch Manager Fixed Version: 7.2.5
Impact
Successful exploitation may provide adversaries:
Execution of unauthorized system-level commands.
Administrative control over privileged access workflows and switch configurations.
Visibility into and control over network traffic flows.
Opportunities to deploy persistence, pivot inside the network, or disrupt operations.
This vulnerability affects the management plane, amplifying potential business impact and incident blast radius.
Detection Method
Security teams should:
Identify FortiPAM / FortiSwitch Manager deployments and immediately map version exposure.
Monitor for malformed or unexpected HTTP(S) requests to admin endpoints.
Alert on:
New or modified privileged admin accounts.
Unexpected password or policy changes.
Spontaneous service restarts or error surges in WAD/GUI logs.
Correlate management anomalies with EDR and identity-layer telemetry to detect pivot attempts.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Patch immediately per vendor guidance:
FortiPAM → 1.5.1 / 1.4.3 (migrate older branches to supported releases).
FortiSwitch Manager → 7.2.5.
Restrict management interfaces:
Remove internet exposure.
Allowlist admin sources (trusted VLANs, OOB networks).
Enforce strong authentication:
MFA mandatory for all administrative access.
Remove stale accounts, validate RBAC privileges.
Credential hygiene:
Rotate admin credentials where compromise is suspected.
Verify configuration integrity for unauthorized changes.
Conclusion
CVE-2025-49201 and related Fortinet WAD/GUI vulnerabilities present a significant operational risk by targeting privileged network management infrastructure. Unauthorized command execution due to improper authentication increases the likelihood of rapid escalation, service disruption, and long-term persistence by threat actors. Fortinet has published fixes, and we urge organizations to prioritize immediate patching, strict access control, MFA enforcement, and proactive hunting across the management plane. Rapid containment and integrity verification of affected management appliances are essential to prevent lateral movement and persistent network compromise.