CVE-2025-58903: 
FortiOS vulnerability analysis and mitigation

CVE-2025-58903 is an Unchecked Return Value vulnerability [CWE-252] discovered in Fortinet FortiOS versions 7.6.0 through 7.6.3 and versions before 7.4.8. The vulnerability was internally discovered and reported by Loic Pantano of Fortinet PSIRT and was initially published on October 14, 2025 (Fortinet Advisory, NVD).

The vulnerability exists in the FortiOS API and allows an authenticated user to cause a Null Pointer Dereference by sending a specially crafted request to the HTTP daemon. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.9 (MEDIUM) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, while Fortinet assessed it with a lower score of 2.7 (LOW) (NVD).

The primary impact of this vulnerability is a denial of service condition affecting the HTTP daemon. When successfully exploited, it can cause the daemon to crash, potentially disrupting service availability (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiOS 7.6.0 through 7.6.3 should upgrade to version 7.6.4 or above, while users of FortiOS 7.4.0 through 7.4.8 should upgrade to version 7.4.9 or above. Users of FortiOS versions 7.2, 7.0, and 6.4 should migrate to a fixed release. Fortinet provides an upgrade path tool at their documentation site (Fortinet Advisory).