CVE-2025-64157
Published: 10 February 2026
Summary
CVE-2025-64157 is a medium-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Fortinet Fortios. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-64157 is a use of externally-controlled format string vulnerability (CWE-134) in Fortinet FortiOS. The affected versions include FortiOS 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and all versions of FortiOS 7.0. It carries a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating medium severity with high impacts across confidentiality, integrity, and availability.
An authenticated administrator with local access can exploit the vulnerability by submitting specifically crafted configuration data. Successful exploitation allows execution of unauthorized code or commands on the affected system.
Mitigation details are provided in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-25-795.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207129
Vulnerability details
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Format string vulnerability in local config handling directly enables local code/command execution by a privileged admin, mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of configuration inputs to reject or sanitize externally-controlled format strings before they reach the vulnerable parser.
Restricts which authenticated administrators are permitted to submit configuration changes, reducing the population that can supply the crafted data.
Enforces least privilege so that even authenticated admins lack unnecessary rights to exercise the code-execution path via configuration.