CVE-2024-50571: 
FortiOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2024-50571) was discovered in the fgfmd daemon of multiple Fortinet products including FortiOS, FortiManager, FortiAnalyzer, FortiManager Cloud, FortiAnalyzer Cloud, and FortiProxy. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team on October 14, 2025. This vulnerability affects multiple versions of Fortinet products across different release branches (Fortinet Advisory).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that exists in the fgfmd daemon of affected Fortinet products. It has been assigned a CVSS v3.1 base score of 7.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires high privileges (PR:H), and no user interaction (UI:N) (NVD).

If successfully exploited, this vulnerability allows an authenticated attacker to execute unauthorized code or commands via specifically crafted requests. The impact is rated as high for confidentiality, integrity, and availability (Fortinet Advisory).

Fortinet has released patches for all affected products and versions. Users are advised to upgrade to the fixed versions: FortiOS to versions 7.6.3, 7.4.7, 7.2.11, 7.0.17, or 6.4.16; FortiManager to versions 7.6.2, 7.4.6, 7.2.10, or 7.0.14; FortiAnalyzer to versions 7.6.3, 7.4.6, 7.2.10, or 7.0.14; FortiProxy to versions 7.6.2, 7.4.8, 7.2.13, or 7.0.20. For older versions (6.4 and below), users should migrate to a supported fixed release. Fortinet provides an upgrade path tool at their documentation site (Fortinet Advisory).