Fortinet has released an urgent security advisory about a critical vulnerability affecting FortiPAM and FortiSwitch Manager. The flaw could allow threat actors to completely bypass authentication mechanisms by using brute-force attack methods, giving them potential access to sensitive systems.
Technical Details
This vulnerability, tracked as CVE-2025-49201, results from a weak authentication mechanism in the Web Application Delivery (WAD) and Graphical User Interface (GUI) components. It falls under CWE-1390 (Weak Authentication Mechanism) classification.
With a CVSS v3.1 score of 7.4, the issue is rated as high severity. If successfully exploited, attackers could execute unauthorized code or inject commands remotely, potentially taking full control of the affected system.
Affected Products and Versions
The flaw impacts several versions of FortiPAM, Fortinet’s Privileged Access Management solution, and certain releases of FortiSwitch Manager, which handles network switch configurations.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiPAM 1.7 | Not affected | Not Applicable |
| FortiPAM 1.6 | Not affected | Not Applicable |
| FortiPAM 1.5 | 1.5.0 | Upgrade to 1.5.1 or above |
| FortiPAM 1.4 | 1.4.0 through 1.4.2 | Upgrade to 1.4.3 or above |
| FortiPAM 1.3 | All versions | Migrate to a fixed release |
| FortiPAM 1.2 | All versions | Migrate to a fixed release |
| FortiPAM 1.1 | All versions | Migrate to a fixed release |
| FortiPAM 1.0 | All versions | Migrate to a fixed release |
| FortiSwitch Manager 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiSwitch Manager 7.0 | Not affected | Not Applicable |
Attack Requirements and Risk
Exploitation of this flaw requires network access. Attackers could perform repeated brute-force attempts to bypass authentication over time. Although no public exploits have been reported yet, the risk remains significant for unpatched systems.
Fortinet strongly recommends applying the latest security updates immediately.
- Users running FortiPAM 1.5 should upgrade to 1.5.1 or later.
- Versions 1.4.0–1.4.2 require upgrading to 1.4.3 or above.
- Older releases such as 1.3 and below must migrate to a fixed release.
- FortiSwitch Manager 7.2 users should update to 7.2.5 or later.
Mitigation and Recommendations
Fortinet advises all customers to:
- Apply the recommended patches without delay.
- Monitor for unusual login attempts or failed authentications.
- Enable multi-factor authentication (MFA) as an additional layer of defense.
Discovery and Disclosure
The flaw was discovered internally by Gwendal Guégniaud from Fortinet’s Product Security team. The issue was officially published on October 14, 2025, under internal reference FG-IR-25-010.
