Format string vulnerability in fazsvcd

Monitor6.5FG-IR-26-092Mar 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A format string vulnerability exists in the fazsvcd daemon of FortiAnalyzer and FortiManager. An authenticated attacker can exploit this vulnerability to read sensitive information from memory or potentially execute arbitrary code on the affected device.

What this means

What could happen

An authenticated admin or engineer could crash the FortiAnalyzer/FortiManager device or leak sensitive configuration and credential data stored in memory. This could disrupt log collection and network monitoring across your infrastructure, or expose credentials used by the management system.

Who's at risk

Water utilities and municipal electric systems using FortiAnalyzer or FortiManager for centralized security log management and network policy administration. This impacts administrators and engineering workstations that manage these devices, as the vulnerability requires authenticated access.

How it could be exploited

An attacker with valid administrative credentials can send a specially crafted request to the fazsvcd service. The format string flaw allows the attacker to read arbitrary memory contents or potentially write to memory, depending on how the vulnerability is triggered.

Prerequisites

Valid FortiAnalyzer or FortiManager administrative account credentials
Network access to the fazsvcd service (typically restricted to administrative networks)

Authentication required (reduces risk but insiders or compromised admin accounts are a concern)Medium CVSS score indicates potential for data leakageAffects management/visibility tier rather than direct OT controls

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

FortiAnalyzer7.6.0 - 7.6.47.6.5+

FortiAnalyzer7.4.0 - 7.4.77.4.8+

FortiAnalyzer7.2 all versionsMigrate to fixed release

FortiAnalyzer7.0 all versionsMigrate to fixed release

FortiAnalyzer Cloud7.6.0 - 7.6.47.6.5+

Remediation & Mitigation

0/8

Do now

0/1

FortiAnalyzer

WORKAROUNDRestrict network access to FortiAnalyzer and FortiManager administrative interfaces to trusted engineering and administration networks only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

FortiAnalyzer

HOTFIXUpdate FortiAnalyzer 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiAnalyzer 7.4.x to version 7.4.8 or later

HOTFIXMigrate FortiAnalyzer 7.2 or 7.0 to a fixed release (7.4.8, 7.6.5 or later)

FortiManager

HOTFIXUpdate FortiManager 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiManager 7.4.x to version 7.4.8 or later

HOTFIXMigrate FortiManager 7.2 or 7.0 to a fixed release (7.4.8, 7.6.5 or later)

Long-term hardening

0/1

FortiAnalyzer

HARDENINGAudit and rotate administrative credentials for FortiAnalyzer and FortiManager to limit exposure if accounts have been compromised

CVEs (1)

CVE-2025-68648

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/65670dce-0237-401e-a973-7a5594b2089f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.