CVE-2025-58903: 
FortiOS vulnerability analysis and mitigation

CVE-2025-58903 is an Unchecked Return Value vulnerability (CWE-252) discovered in the FortiOS API. The vulnerability was internally discovered by Loic Pantano of Fortinet PSIRT and was initially published on October 14, 2025. It affects multiple versions of FortiOS, including versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and all versions of 7.2, 7.0, and 6.4 (Fortinet Advisory).

The vulnerability is classified as a low severity issue with a CVSSv3 score of 2.5. It exists in the GUI component of FortiOS API where an unchecked return value can lead to a Null Pointer Dereference. The vulnerability requires authentication for exploitation, as indicated by the technical assessment (NVD, Fortinet Advisory).

When successfully exploited, this vulnerability can result in a denial of service condition by causing the HTTP daemon to crash through a specially crafted request. The impact is limited to service disruption, with no reported ability to execute code or access unauthorized information (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiOS version 7.6.4 or above for 7.6.x installations, and version 7.4.9 or above for 7.4.x installations. For systems running versions 7.2.x, 7.0.x, or 6.4.x, users should migrate to a fixed release. Fortinet provides an upgrade path tool to assist with the update process (Fortinet Advisory).