CVE-2025-22258: 
FortiOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-22258) was discovered in the nodejs daemon of multiple Fortinet products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiSwitchManager. The vulnerability was internally discovered and reported by Gwendal Guégniaud of the Fortinet Product Security team on October 14, 2025. This security flaw affects multiple versions of the affected products, including FortiOS versions 7.0.2 through 7.6.2, FortiProxy versions 7.4.0 through 7.6.1, FortiPAM versions 1.0 through 1.5.0, FortiSRA versions 1.4.0 through 1.5.0, and FortiSwitchManager versions 7.2.1 through 7.2.5 (Fortinet Advisory, NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that exists in the websocket component of the GUI interface. It received a CVSS v3.1 base score of 7.2 (HIGH) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Fortinet assigned it a medium severity with a CVSS score of 6.5 (NVD, Fortinet Advisory).

The vulnerability allows an authenticated attacker to execute arbitrary code or commands via specifically crafted requests, potentially leading to escalation of privileges in the affected systems (Fortinet Advisory).

Fortinet has released patches for all affected products and versions. Users are advised to upgrade to the following versions: FortiOS 7.6.3 or above, FortiOS 7.4.7 or above, FortiOS 7.2.11 or above, FortiOS 7.0.17 or above, FortiProxy 7.6.2 or above, FortiProxy 7.4.8 or above, FortiPAM 1.5.1 or above, FortiPAM 1.4.3 or above, FortiSRA 1.5.1 or above, FortiSRA 1.4.3 or above, and FortiSwitchManager 7.2.6 or above. Additionally, a virtual patch named 'FG-VD-58637.0day' is available in FMWP db update 25.081 (Fortinet Advisory).