SOC Advisory: Fortinet FortiSIEM & FortiOS Critical Vulnerabilities – 14 Jan 2026

Overview

• CVE: CVE-2025-64155, CVE-2025-25249
• Severity: Critical
• Date: 14 Jan 2026

Summary

Fortinet has released urgent security updates for FortiSIEM and FortiOS to address critical vulnerabilities. CVE-2025-64155 allows unauthenticated remote code execution as root, while CVE-2025-25249 permits arbitrary code execution via the cw_acd daemon.

Affected Versions

• FortiSIEM (CVE-2025-64155): 7.4.0, 7.3.0 through 7.3.4, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, 6.7.0 through 6.7.10.
• FortiOS (CVE-2025-25249): 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17, 6.4.0 through 6.4.16.
• FortiSwitchManager (CVE-2025-25249): 7.2.0 through 7.2.6, 7.0.0 through 7.0.5.

Vulnerability Breakdown

CVE-2025-64155 – Unauthenticated Remote Command Injection

• Severity: Critical
• CVSS: 9.4
• Description: An improper neutralization of special elements used in an OS command in FortiSIEM allows an attacker to execute unauthorized code or commands via crafted TCP requests.
• Impact: Remote Code Execution (RCE) as root.
• Conditions: Unauthenticated access to the target system.
• Notes: Allows for remote rooting of the FortiSIEM.

CVE-2025-25249 – Heap-based Buffer Overflow

• Severity: High
• CVSS: 7.4
• Description: A heap-based buffer overflow in the FortiOS and FortiSwitchManager cw_acd daemon.
• Impact: Execute arbitrary code or commands.
• Conditions: Remote unauthenticated attacker via specifically crafted requests.
• Notes: Affects the cw_acd daemon.

Mitigation

Upgrade to the latest versions provided by Fortinet:

• FortiSIEM: Upgrade to fixed release.
• FortiOS: Upgrade to 7.6.4, 7.4.9, 7.2.12, 7.0.18, 6.4.17 or above.
• FortiSwitchManager: Upgrade to 7.2.7, 7.0.6 or above.

Workaround (CVE-2025-25249):

• Remove “fabric” access for interfaces or block CAPWAP-CONTROL access to port 5246-5249.

Summary for IT Teams

• Products: Fortinet FortiSIEM, FortiOS, FortiSwitchManager
• Threat Level: Critical, CVSS 9.4
• Action Required: Patch immediately.

Reference

• CVE 2025-64155
• CVE 2025-25249
• Fortinet Advisory

Need Help?

If your organisation requires assistance identifying affected systems, enforcing browser updates or reviewing browser security policies, please contact our SOC team via soc@secure-iss.com.