CVE-2025-49201 – A weak authentication vulnerability in Fortinet... (How to Fix)

Q: What is the severity of CVE-2025-49201?

CVE-2025-49201 has a CVSS score of 8.1 (HIGH). A weak authentication vulnerability in Fortinet FortiPAM and FortiSwitchManager allows attackers to execute unauthorized code or commands via specially crafted HTTP requests. This affects multiple versions of FortiPAM (1.0 through 1.5.0) and FortiSwitchManager (7.2.0 through 7.2.4). Attackers can potentially gain control of affected systems without proper authentication.

📋 TL;DR

A weak authentication vulnerability in Fortinet FortiPAM and FortiSwitchManager allows attackers to execute unauthorized code or commands via specially crafted HTTP requests. This affects multiple versions of FortiPAM (1.0 through 1.5.0) and FortiSwitchManager (7.2.0 through 7.2.4). Attackers can potentially gain control of affected systems without proper authentication.

💻 Affected Systems

Products:

Fortinet FortiPAM
Fortinet FortiSwitchManager

Versions: FortiPAM 1.0 all versions, 1.1 all versions, 1.2 all versions, 1.3 all versions, 1.4.0 through 1.4.2, 1.5.0; FortiSwitchManager 7.2.0 through 7.2.4

Operating Systems: FortiOS-based appliances

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining administrative privileges, executing arbitrary commands, accessing sensitive credentials stored in PAM systems, and pivoting to other network resources.

🟠

Likely Case

Unauthorized command execution leading to credential theft, data exfiltration, and installation of backdoors or malware on affected systems.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and monitoring that detects anomalous HTTP requests.

🌐 Internet-Facing: HIGH - If vulnerable systems are exposed to the internet, attackers can exploit this remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to vulnerable systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires specially crafted HTTP requests but does not require authentication, making exploitation relatively straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiPAM 1.5.1 or later, FortiSwitchManager 7.2.5 or later; earlier FortiPAM versions require upgrading to supported versions

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-010

Restart Required: Yes

Instructions:

1. Download the latest firmware from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot the appliance. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to FortiPAM and FortiSwitchManager management interfaces to trusted IP addresses only.

config firewall address
edit trusted_ips
set subnet 192.168.1.0 255.255.255.0
next
config firewall policy
edit 1
set srcintf internal
set dstintf mgmt
set srcaddr trusted_ips
set dstaddr all
set action accept
set service HTTP HTTPS
next
edit 2
set srcintf any
set dstintf mgmt
set srcaddr all
set dstaddr all
set service HTTP HTTPS
set action deny

Disable HTTP Management

all

Disable HTTP management interface and use HTTPS only with strong authentication.

config system global
set admin-https-redirect enable
set admin-http-port 0
end

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with vulnerable appliances.
Deploy web application firewall (WAF) rules to block suspicious HTTP requests targeting FortiPAM/FortiSwitchManager endpoints.

🔍 How to Verify

Check if Vulnerable:

Check current firmware version via web interface (System > Dashboard) or CLI command: get system status

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify firmware version is FortiPAM 1.5.1+ or FortiSwitchManager 7.2.5+ and check that no unauthorized HTTP requests are reaching management interfaces.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to FortiPAM/FortiSwitchManager management interfaces
Multiple failed authentication attempts followed by successful command execution
Log entries showing command execution from unexpected sources

Network Indicators:

HTTP traffic to FortiPAM/FortiSwitchManager ports (80, 443) from unauthorized sources
Unusual outbound connections from Forti appliances

SIEM Query:

source="fortigate" AND (url="*FortiPAM*" OR url="*FortiSwitchManager*") AND (status=200 OR status=302) AND user="-"

📊 Metadata

CVE ID: CVE-2025-49201

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1390

EPSS Score: 0.1% exploit probability (28th percentile)

Published: October 14, 2025

Last Updated: January 14, 2026

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-25-010 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49201, you might also want to check these: