Fortinet warns FortiManager flaw can let attackers run unauthorized commands

Home » News

Yash

News

4 min. read

Published on March 11, 2026

Fortinet has disclosed a high-severity FortiManager vulnerability that can let a remote, unauthenticated attacker execute unauthorized commands if a specific service is enabled. The flaw, tracked as CVE-2025-54820, affects several on-premises FortiManager versions and carries a CVSS v3 score of 7.0.

The issue sits in the fgtupdates service and stems from a stack-based buffer overflow. Fortinet says an attacker could trigger it with crafted requests, but successful exploitation also depends on bypassing stack protection mechanisms. That lowers the practical ease of attack, though the bug still matters because FortiManager often sits near the center of enterprise security operations.

Fortinet published the advisory on March 10, 2026, under PSIRT reference FG-IR-26-098. The company also says FortiManager Cloud is not affected, which narrows the exposure to supported on-premises deployments.

What CVE-2025-54820 means for admins

This vulnerability matters because FortiManager is a centralized management platform. In many environments, it handles policy, device, and update workflows across multiple Fortinet products. A flaw that allows unauthorized commands on such a platform can create a serious risk even when exploitation conditions are narrower than a typical critical bug.

Fortinet does not describe this issue as actively exploited in the advisory. Even so, security teams usually move quickly on network management flaws because attackers often look for trusted control points that can help them move deeper into an environment. That risk increases if the exposed service runs on a reachable interface. The vendor’s own workaround focuses on disabling the fgtupdates service when admins cannot patch right away.

Affected FortiManager versions

Fortinet says the following versions are affected and gives clear upgrade guidance.

Product branch	Affected versions	Recommended action
FortiManager 7.6	Not affected	No action needed
FortiManager 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or later
FortiManager 7.2	7.2.0 through 7.2.10	Upgrade to 7.2.11 or later
FortiManager 6.4	All versions	Migrate to a fixed release

Fortinet also states that FortiManager Cloud is not affected by CVE-2025-54820. That is an important detail for enterprises that split management between cloud and on-prem deployments.

Why this FortiManager bug is serious

The advisory says the flaw can allow “unauthorized commands,” which signals more than a simple crash or denial of service. In practical terms, that means a successful attacker may be able to push actions onto the target system without logging in first, provided the vulnerable service is exposed and other protections do not stop the attempt.

Fortinet also notes that the service must be enabled for the bug to matter. That point gives admins a useful first triage step. Teams should verify whether fgtupdates is active on any interface, especially one that an attacker could reach from untrusted or less trusted networks.

Mitigation and workaround

Fortinet’s preferred fix is simple. Upgrade to a patched release on supported branches, or move off the unsupported 6.4 line.

If you cannot patch immediately, Fortinet says to disable the fgtupdates service. The vendor provides the following CLI example in the advisory.

config system interface
edit <portID>
set serviceaccess <service>
end

Fortinet adds that <service> should not include fgtupdates. In other words, admins should remove that service from enabled access lists on exposed interfaces.

What security teams should do now

Security teams should start with exposure validation, not just patch planning. The advisory makes clear that service state matters here.

Check whether FortiManager runs an affected branch.
Confirm whether fgtupdates is enabled on any interface.
Prioritize upgrades to 7.4.3+ or 7.2.11+ where relevant.
Plan migration from 6.4 if that branch remains in production.
Limit reachability to management interfaces while patching.
Review logs and access patterns for unusual requests to affected services.

That sequence helps teams reduce risk fast, even before full maintenance windows open up. It also fits the way Fortinet frames the issue in its own guidance.

Key facts at a glance

CVE: CVE-2025-54820
Product: FortiManager
Severity: High
CVSS v3: 7.0
Attack type: Remote, unauthenticated
Condition: fgtupdates service must be enabled
Impact: Execute unauthorized commands
Cloud impact: FortiManager Cloud not affected
Advisory ID: FG-IR-26-098

FAQ

Is CVE-2025-54820 a remote unauthenticated vulnerability?

Yes. Fortinet says a remote unauthenticated attacker may execute unauthorized commands through crafted requests, if the vulnerable service is enabled and stack protections do not stop the attack.

Does this affect FortiManager Cloud?

No. Fortinet states that FortiManager Cloud is not affected by this vulnerability.

Which FortiManager versions should admins patch first?

Admins should patch FortiManager 7.4.0 through 7.4.2 to 7.4.3 or later, and 7.2.0 through 7.2.10 to 7.2.11 or later. Environments still on 6.4 need migration to a fixed release.

Can admins reduce risk before patching?

Yes. Fortinet says admins can disable the fgtupdates service as a temporary workaround if immediate patching is not possible.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by: