CVE-2025-46373 is a heap-based buffer overflow vulnerability identified in Fortinet's FortiClientWindows software, specifically versions 7.2.0 through 7.2.8 and 7.4.0 through 7.4.3. The flaw resides in the "fortips_74.sys" kernel-mode driver component, which handles IPSec VPN functionality. An authenticated local user with IPSec privileges can exploit this vulnerability by triggering a heap overflow condition, potentially overwriting critical memory structures. Successful exploitation allows the attacker to execute arbitrary code or commands with elevated privileges, compromising system confidentiality, integrity, and availability. The attack requires local access and the ability to authenticate as an IPSec user, and the attacker must bypass Windows heap integrity protections such as heap cookies or safe unlinking mechanisms. The vulnerability has a CVSS v3.1 base score of 7.1, reflecting high severity due to the potential for full system compromise. No public exploits or active exploitation campaigns have been reported to date. The vulnerability was reserved in April 2025 and published in November 2025. Fortinet has not yet released official patches, but organizations are advised to monitor for updates. This vulnerability is particularly concerning for environments relying on FortiClientWindows for secure VPN access, as it could allow lateral movement or privilege escalation within corporate networks.

For European organizations, the impact of CVE-2025-46373 can be significant. FortiClientWindows is widely used across enterprises and government agencies in Europe for secure VPN connectivity and endpoint protection. Exploitation could lead to unauthorized code execution on endpoints, enabling attackers to gain elevated privileges, move laterally within networks, exfiltrate sensitive data, or disrupt operations. Confidentiality is at risk due to potential data theft, integrity is compromised through unauthorized command execution, and availability may be affected if systems are destabilized or malware is deployed. Organizations with remote or hybrid workforces relying on IPSec VPNs are particularly vulnerable. The requirement for local authentication limits remote exploitation but does not eliminate risk, especially if endpoint security is weak or insider threats exist. The absence of known exploits provides a window for proactive mitigation, but the high severity score underscores the urgency for European entities to address this vulnerability promptly.

1. Apply official patches from Fortinet immediately once they become available to address the vulnerability in the "fortips_74.sys" driver. 2. Until patches are released, restrict local IPSec user privileges to the minimum necessary, preventing unauthorized users from authenticating locally with IPSec credentials. 3. Implement strict endpoint security controls, including application whitelisting and behavior monitoring, to detect anomalous activity related to FortiClient processes or kernel drivers. 4. Employ Windows security features such as Credential Guard and exploit protection mechanisms to strengthen heap integrity protections. 5. Conduct regular audits of local user accounts with IPSec access and remove unnecessary privileges. 6. Monitor system and security logs for signs of heap corruption attempts or unusual command execution patterns. 7. Educate IT staff and users about the risks associated with local authentication and the importance of reporting suspicious behavior. 8. Consider network segmentation to limit the impact of a compromised endpoint. 9. Maintain up-to-date backups to enable recovery in case of compromise. 10. Coordinate with Fortinet support for guidance and early access to patches or mitigations if possible.