High

Fortinet has disclosed a high-severity stack-based buffer overflow vulnerability in its FortiManager platform, tracked as CVE-2025-54820, with a CVSSv3 score of high. This flaw affects multiple on-premises FortiManager versions and could allow remote, unauthenticated attackers to execute unauthorized commands. The vulnerability resides specifically in the fgtupdates service, which must be actively enabled for exploitation, making the attack conditional. Successful exploitation also requires bypassing existing stack protection mechanisms, which increases attack complexity and explains the High rather than Critical severity rating.

Affected versions include FortiManager 7.4 (builds 7.4.0 through 7.4.2), 7.2 (builds 7.2.0 through 7.2.10), and all releases of 6.4. FortiManager Cloud deployments are not affected, limiting exposure to on-premises environments. Fortinet recommends upgrading to patched versions 7.4.3 or above for 7.4, 7.2.11 or above for 7.2, and a fixed release for 6.4 to fully mitigate the risk.

For organizations unable to apply immediate patches, Fortinet advises temporarily disabling the fgtupdates service. Administrators can remove the service from the access list on relevant interfaces using CLI commands, ensuring it is not listed among enabled services on any exposed interface. While this workaround reduces immediate risk, upgrading to patched versions remains the most effective remediation.

FortiManager is widely used in enterprise and government environments to centrally manage Fortinet security devices. As network management platforms become attractive targets for threat actors seeking lateral movement and persistent access, this vulnerability represents a significant risk. Security teams should audit active FortiManager services, apply patches promptly, and monitor for anomalous activity related to the fgtupdates endpoint to prevent potential exploitation.