CVE-2025-46373 – A heap-based buffer overflow vulnerability in F... (How to Fix)

Q: What is the severity of CVE-2025-46373?

CVE-2025-46373 has a CVSS score of 7.8 (HIGH). A heap-based buffer overflow vulnerability in Fortinet FortiClient for Windows allows authenticated local IPSec users to execute arbitrary code or commands via the fortips_74.sys driver. This affects FortiClientWindows versions 7.4.0-7.4.3 and 7.2.0-7.2.8. Attackers must bypass Windows heap integrity protections to exploit this vulnerability.

📋 TL;DR

A heap-based buffer overflow vulnerability in Fortinet FortiClient for Windows allows authenticated local IPSec users to execute arbitrary code or commands via the fortips_74.sys driver. This affects FortiClientWindows versions 7.4.0-7.4.3 and 7.2.0-7.2.8. Attackers must bypass Windows heap integrity protections to exploit this vulnerability.

💻 Affected Systems

Products:

Fortinet FortiClientWindows

Versions: 7.4.0 through 7.4.3, 7.2.0 through 7.2.8

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with FortiClient installed and using IPSec functionality. Requires authenticated local IPSec user access.

📦 What is this software?

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing persistent malware, and accessing sensitive data.

🟠

Likely Case

Local privilege escalation allowing authenticated IPSec users to execute arbitrary code with elevated privileges.

🟢

If Mitigated

Limited impact due to Windows heap protections and requirement for authenticated IPSec access.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over internet.

🏢 Internal Only: MEDIUM - Exploitable by authenticated internal users with IPSec access, but requires bypassing Windows heap protections.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires bypassing Windows heap integrity protections and authenticated IPSec user access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 7.4.3 and 7.2.8 (check vendor advisory for specific fixed versions)

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-125

Restart Required: Yes

Instructions:

1. Download latest FortiClient version from Fortinet support portal. 2. Uninstall current vulnerable version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Disable IPSec functionality

windows

Temporarily disable IPSec VPN functionality in FortiClient to prevent exploitation

Open FortiClient > VPN > Disable IPSec VPN

Restrict IPSec user access

windows

Limit which users have IPSec VPN access permissions

Configure FortiClient VPN access controls to restrict user permissions

🧯 If You Can't Patch

Implement strict access controls to limit which users can use IPSec VPN functionality
Monitor for suspicious activity from authenticated IPSec users and implement enhanced logging

🔍 How to Verify

Check if Vulnerable:

Check FortiClient version in About section or via Control Panel > Programs and Features

Check Version:

wmic product where name="FortiClient" get version

Verify Fix Applied:

Verify installed FortiClient version is above 7.4.3 or 7.2.8 as appropriate

📡 Detection & Monitoring

Log Indicators:

Unusual IPSec connection attempts
Suspicious driver (fortips_74.sys) activity
Privilege escalation attempts from IPSec users

Network Indicators:

Abnormal IPSec traffic patterns
Unexpected outbound connections from FortiClient systems

SIEM Query:

source="forticlient" AND (event_type="privilege_escalation" OR process_name="fortips_74.sys")

📊 Metadata

CVE ID: CVE-2025-46373

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: November 18, 2025

Last Updated: December 16, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-25-125 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46373, you might also want to check these: