Critical Vulnerability in Fortinet FortiManager’s fgtupdates Service Exposes Systems to Remote Code Execution
Fortinet has recently identified a significant security flaw within its FortiManager platform, specifically in the fgtupdates service. This vulnerability, cataloged as CVE-2025-54820, has been assigned a CVSSv3 score of 7.0, indicating a high severity level. If exploited, it could allow remote, unauthenticated attackers to execute arbitrary commands on affected systems, posing a substantial risk to enterprise network management infrastructures.
Understanding the Vulnerability
The core of this issue lies in a stack-based buffer overflow within the fgtupdates service of FortiManager. By sending specially crafted requests to this service, an attacker could potentially execute unauthorized code on the targeted system. However, successful exploitation is contingent upon two factors:
1. Service Activation: The fgtupdates service must be actively enabled on the device.
2. Bypassing Protections: The attacker needs to circumvent existing stack protection mechanisms, which adds complexity to the attack and contributes to the vulnerability’s high (rather than critical) CVSS rating.
Fortinet disclosed this vulnerability on March 10, 2026, under internal reference FG-IR-26-098. The flaw was responsibly reported by researcher catalpa from Dbappsecurity Co., Ltd.
Affected Versions
The vulnerability impacts the following versions of FortiManager:
– FortiManager 7.4: Versions 7.4.0 through 7.4.2 are affected. Users should upgrade to version 7.4.3 or later.
– FortiManager 7.2: Versions 7.2.0 through 7.2.10 are affected. Users should upgrade to version 7.2.11 or later.
– FortiManager 6.4: All versions are affected. Users are advised to migrate to a fixed release.
Notably, FortiManager Cloud is not affected by this vulnerability, limiting the scope to on-premises deployments.
Mitigation and Workaround
To address this vulnerability, Fortinet strongly recommends upgrading to the respective patched releases as the primary remediation measure. For organizations unable to apply patches immediately, disabling the fgtupdates service serves as a temporary workaround.
Disabling the fgtupdates Service:
Administrators can remove fgtupdates from the service access list on the relevant interface using the following CLI configuration:
“`
config system interface
edit
end
“`
Ensure that `fgtupdates` is not listed among the enabled services on any exposed interface.
Implications for Network Security
FortiManager is a critical component in many enterprise and government environments, providing centralized management for Fortinet security devices. A vulnerability that allows unauthenticated remote code execution, even under specific conditions, significantly increases the attack surface.
Threat actors often target network management platforms as they can serve as pivot points for lateral movement and persistent access across managed infrastructure. Therefore, it’s imperative for security teams to:
– Audit Active Services: Immediately review active FortiManager services to identify any unnecessary or vulnerable components.
– Apply Patches Promptly: Implement the available patches without delay to mitigate the risk associated with this vulnerability.
– Monitor for Anomalies: Keep a vigilant eye on access logs for any unusual activity related to the fgtupdates service endpoint.
Conclusion
The discovery of CVE-2025-54820 underscores the importance of proactive vulnerability management and timely patching in maintaining network security. Organizations utilizing FortiManager should prioritize addressing this issue to safeguard their network management environments against potential exploitation.
