Request smuggling attack in FortiOS

Monitor5.2FG-IR-25-667Feb 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A request smuggling vulnerability in FortiOS allows an unauthenticated attacker to craft an HTTP request with a specially malformed header that bypasses firewall inspection and is not logged. This permits undetected traffic to reach protected internal systems. The vulnerability affects FortiOS 6.4.3 through 6.4.16, all versions of 7.0 and 7.2, versions 7.4.0 through 7.4.9, and 7.6.0. Versions 7.4.10, 7.6.1 and later contain the fix.

What this means

What could happen

An unauthenticated attacker could craft a malicious HTTP request that bypasses the firewall's inspection and logging, allowing them to reach protected systems without being detected. This could facilitate reconnaissance or exploitation of internal systems that should be blocked.

Who's at risk

Network operators running Fortinet FortiOS firewalls in versions 6.4, 7.0, 7.2, 7.4, and 7.6 should be concerned. These firewalls protect critical infrastructure in utilities, water systems, and manufacturing facilities. The vulnerability allows unlogged traffic to bypass inspection, putting any system behind the firewall at risk of undetected attacks.

How it could be exploited

An attacker sends a specially crafted HTTP request with a malicious header through the FortiOS firewall. The firewall fails to properly parse the header, allowing the request to pass through to the internal network without being logged or blocked, even though it violates the firewall's security policies.

Prerequisites

Network access to the FortiOS firewall's external interface on HTTP/HTTPS ports
No credentials required

remotely exploitableno authentication requiredlow complexitybypass of security controlsunlogged traffic

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

FortiOS7.6.07.6.1+

FortiOS7.4.0 - 7.4.97.4.10+

FortiOS7.2 all versionsMigrate to fixed release

FortiOS7.0 all versionsMigrate to fixed release

FortiOS6.4.3 - 6.4.16Migrate to fixed release

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGMonitor firewall logs for suspicious HTTP requests with malformed headers reaching internal systems

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS 7.6.0 to version 7.6.1 or later

HOTFIXUpdate FortiOS 7.4.x to version 7.4.10 or later

HOTFIXMigrate FortiOS 7.2.x systems to a fixed release (7.4.10 or 7.6.1+)

HOTFIXMigrate FortiOS 7.0.x systems to a fixed release (7.4.10 or 7.6.1+)

HOTFIXMigrate FortiOS 6.4.x systems to a fixed release (7.4.10 or 7.6.1+)

CVEs (1)

CVE-2025-55018

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6275b928-1f2b-44a4-812b-2af488f4fa0e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.