Authenticated Heap Overflow in SSL-VPN bookmarks

Monitor6.7FG-IR-25-756Oct 14, 2025

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Heap buffer overflow vulnerability in the SSL-VPN RDP bookmark feature of FortiOS, FortiProxy, and FortiPAM. An authenticated attacker can trigger the overflow by crafting a malicious bookmark entry, potentially leading to remote code execution with the privileges of the affected appliance. The vulnerability affects multiple version branches: FortiOS 6.4 through 7.6.2, FortiProxy 7.0 through 7.6.2, and FortiPAM 1.3 through 1.5.0.

What this means

What could happen

An authenticated attacker could overflow memory in the SSL-VPN bookmark handler, potentially executing arbitrary code on your Fortinet firewall or PAM appliance with full privileges. This could allow an attacker to intercept traffic, modify configurations, or disable security controls.

Who's at risk

This affects organizations using Fortinet firewalls (FortiOS), proxy appliances (FortiProxy), or privileged access management tools (FortiPAM) for remote access. Any IT team providing VPN access to field technicians, remote offices, or third-party vendors should prioritize this. If your SSL-VPN portal is internet-facing, the risk is higher.

How it could be exploited

An attacker with valid SSL-VPN credentials accesses the web portal and crafts a malicious RDP bookmark entry. The heap overflow in bookmark processing executes arbitrary code running with firewall privileges. If your VPN portal is internet-facing, this creates a direct attack path from remote users.

Prerequisites

Valid SSL-VPN user credentials
Access to the FortiOS/FortiProxy web management portal or SSL-VPN interface
Ability to create or modify bookmarks in the SSL-VPN session

remotely exploitableauthenticated access requiredactively used in real-world attacks (exploited in the wild)affects firewall/VPN security controlsmedium CVSS score

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

FortiOS7.6.0 - 7.6.27.6.3+

FortiOS7.4.0 - 7.4.77.4.8+

FortiOS7.2.0 - 7.2.107.2.11+

FortiOS7.0 all versionsMigrate to fixed release

FortiOS6.4 all versionsMigrate to fixed release

FortiPAM1.5.01.5.1+

FortiPAM1.4.0 - 1.4.21.4.3+

FortiPAM1.3 all versions and 3 moreMigrate to fixed release

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS to version 7.6.3 or later, 7.4.8 or later, or 7.2.11 or later depending on your current branch

HOTFIXIf running FortiOS 7.0, 6.4 or earlier, FortiProxy 7.2, 7.0 or earlier, or FortiPAM 1.3 or earlier: migrate to a supported version with the patch applied

FortiPAM

HOTFIXUpdate FortiPAM to version 1.5.1 or later, or 1.4.3 or later depending on your current version

FortiProxy

HOTFIXUpdate FortiProxy to version 7.6.3 or later or 7.4.4 or later depending on your current version

Long-term hardening

0/2

HARDENINGRestrict SSL-VPN portal access to known IP ranges or require multi-factor authentication to reduce the number of accounts that can reach the bookmark functionality

HARDENINGReview VPN user accounts and disable any that are no longer in use to reduce the attack surface

CVEs (1)

CVE-2025-57740

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/36270624-440f-4f31-ae4d-e6cb348455ac

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.