CVE-2025-54820
Published: 10 March 2026
Summary
CVE-2025-54820 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Fortinet Fortimanager. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the stack-based buffer overflow flaw in FortiManager, directly eliminating the vulnerability.
Mandates validation of incoming requests to the vulnerable service, preventing crafted inputs from triggering the buffer overflow.
Restricts or disables the unnecessary vulnerable service on FortiManager, preventing remote unauthenticated access and exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in FortiManager's network-exposed service directly enables remote unauthenticated RCE via crafted requests, mapping to exploitation of public-facing applications.
NVD Description
A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.10, FortiManager 6.4 all versions may allow a remote unauthenticated attacker to execute unauthorized commands via crafted requests, if the service is enabled. The…
more
success of the attack depends on the ability to bypass the stack protection mechanisms.
Deeper analysisAI
CVE-2025-54820 is a stack-based buffer overflow vulnerability (CWE-121 and CWE-787) affecting Fortinet FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, and all versions of 6.4. The flaw arises in a service that, when enabled, can be triggered by crafted requests, potentially leading to unauthorized command execution. Published on 2026-03-10 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), it highlights high-impact risks across confidentiality, integrity, and availability despite requiring high attack complexity.
A remote unauthenticated attacker can exploit this vulnerability over the network by sending specially crafted requests to the vulnerable service on an affected FortiManager instance. Successful exploitation enables execution of unauthorized commands, though it hinges on the attacker's ability to bypass stack protection mechanisms. No privileges, user interaction, or scope changes are required, making it viable against internet-exposed or internally accessible FortiManager systems where the service is active.
The Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-098 details mitigation steps and affected versions. Security practitioners should consult this reference for patch availability, workarounds, and configuration guidance to disable the service if feasible.
Details
- CWE(s)