CVE-2025-54820 is a stack-based buffer overflow vulnerability identified in Fortinet FortiManager versions 6.4.0, 7.2.0 through 7.2.10, and 7.4.0 through 7.4.2. The flaw arises from improper handling of crafted requests that overflow a stack buffer, allowing an attacker to overwrite control data on the stack. This can lead to arbitrary code execution or command injection remotely without authentication if the FortiManager service is enabled and accessible. The vulnerability is classified under CWE-121, indicating a classic stack buffer overflow issue. Successful exploitation depends on the attacker’s ability to bypass stack protection mechanisms such as stack canaries or DEP (Data Execution Prevention). The CVSS v3.1 base score is 7.0, reflecting high severity with network attack vector, high impact on confidentiality, integrity, and availability, no privileges required, and no user interaction needed. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to FortiManager’s role in managing network security devices, potentially allowing attackers to gain control over network management infrastructure. The vulnerability was reserved in July 2025 and published in March 2026, indicating recent discovery and disclosure. No official patches or mitigation links are provided in the data, suggesting organizations should monitor Fortinet advisories closely and apply updates once available.

The impact of CVE-2025-54820 is substantial for organizations worldwide using FortiManager for centralized management of Fortinet security appliances. Exploitation can lead to remote code execution, allowing attackers to gain full control over the FortiManager system. This compromises the confidentiality, integrity, and availability of network management operations, potentially enabling attackers to manipulate firewall policies, disable security controls, or pivot to other internal systems. The vulnerability could disrupt network security posture, cause data breaches, and lead to significant operational downtime. Given FortiManager’s critical role in managing multiple Fortinet devices, a successful attack could cascade, affecting entire network environments. The lack of authentication requirement and remote attack vector increase the risk of automated exploitation attempts once public exploits emerge. Organizations in sectors with high reliance on Fortinet products, such as telecommunications, finance, government, and critical infrastructure, face elevated risks of targeted attacks and espionage.

Organizations should immediately assess their FortiManager deployments to identify affected versions (6.4.0, 7.2.0 through 7.2.10, and 7.4.0 through 7.4.2). Until official patches are released by Fortinet, implement network-level mitigations such as restricting access to FortiManager management interfaces to trusted IP addresses only, using VPNs or dedicated management networks. Enable strict firewall rules to block unauthorized inbound traffic to FortiManager services. Monitor network traffic and logs for unusual or malformed requests targeting FortiManager. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts. Regularly check Fortinet’s security advisories for patches and apply them promptly once available. Consider deploying application-layer firewalls or reverse proxies to filter and sanitize incoming requests. Conduct internal penetration testing and vulnerability scanning to verify mitigation effectiveness. Educate security teams about this vulnerability to ensure rapid incident response capability.