CVE-2025-24477: 
FortiOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-24477) was discovered in Fortinet FortiOS's cw_stad daemon affecting versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, and 7.2.4 through 7.2.11. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet's Product Security team on July 8, 2025 (Fortinet Advisory).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) in the cw_stad daemon of FortiOS. It has been assigned a CVSS v3.1 base score of 6.7 (Medium) by NIST NVD with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Fortinet assigned it a score of 4.2 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability specifically affects systems configured as wireless clients, particularly impacting eight FortiWifi models including FWF80F2R3G4GDSL, FWF80F2R, FWF81F2R3G4GDSL, FWF81F2R3G4GPOE, FWF81F2R, FWF81F2RPOE, FWF90G2R, and FWF91G_2R. If exploited, it allows an authenticated attacker to execute arbitrary code or commands via specifically crafted requests (Fortinet Advisory).

Fortinet has released patches for all affected versions. Users are advised to upgrade to FortiOS version 7.6.3 or above for 7.6.x installations, 7.4.8 or above for 7.4.x installations, and 7.2.12 or above for 7.2.x installations. Users can follow the recommended upgrade path using Fortinet's upgrade tool available at their documentation portal (Fortinet Advisory).