CVE-2025-25248
📋 TL;DR
An integer overflow vulnerability in Fortinet SSL-VPN RDP/VNC bookmarks allows authenticated users to craft requests that may crash the SSL-VPN service, causing denial of service. This affects FortiOS, FortiProxy, and FortiPAM across multiple versions. Only authenticated SSL-VPN users can exploit this vulnerability.
💻 Affected Systems
- FortiOS
- FortiProxy
- FortiPAM
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortipam by Fortinet
Fortipam by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could repeatedly crash the SSL-VPN service, causing extended service disruption and preventing legitimate users from accessing VPN resources.
Likely Case
An authenticated user could temporarily disrupt SSL-VPN availability for themselves or other users, requiring service restart to restore functionality.
If Mitigated
With proper authentication controls and monitoring, impact is limited to temporary service disruption that can be quickly detected and restored.
🎯 Exploit Status
Exploitation requires authenticated SSL-VPN access and knowledge of how to craft specific requests to trigger the integer overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Fortinet advisory for specific fixed versions per product line
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-364
Restart Required: No
Instructions:
1. Review Fortinet advisory FG-IR-24-364. 2. Identify affected products and versions. 3. Upgrade to fixed versions as specified in advisory. 4. Apply patch without service restart required.
🔧 Temporary Workarounds
Disable RDP/VNC bookmarks
allTemporarily disable RDP and VNC bookmark functionality in SSL-VPN configuration
config vpn ssl web portal
edit <portal-name>
unset rdp
unset vnc
end
Restrict SSL-VPN user access
allLimit SSL-VPN access to trusted users only and implement strong authentication
🧯 If You Can't Patch
- Implement network segmentation to isolate SSL-VPN services from critical infrastructure
- Enable detailed logging and monitoring for SSL-VPN service restarts and abnormal user activity
🔍 How to Verify
Check if Vulnerable:
Check FortiOS/FortiProxy/FortiPAM version against affected versions list in advisoryCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify version is upgraded beyond affected versions listed in Fortinet advisory📡 Detection & Monitoring
Log Indicators:
- SSL-VPN service crashes/restarts
- Multiple failed RDP/VNC bookmark requests from single user
- Abnormal SSL-VPN session termination
Network Indicators:
- Unusual patterns of SSL-VPN traffic to RDP/VNC bookmark endpoints
- Increased SSL-VPN connection failures
SIEM Query:
source="fortigate" AND ("SSL VPN" OR "sslvpnd") AND ("crash" OR "restart" OR "abnormal termination")