Introduction - Engaging opening that highlights real impact and significance
Remote access gateways are a critical entry point for enterprise networks, and vulnerabilities in their SSL VPN implementations have repeatedly led to significant security incidents. Fortinet's SSL VPN products are widely deployed in organizations of all sizes, making any flaw in their authentication or protocol handling logic a high-priority concern for defenders.
Fortinet is a global cybersecurity vendor whose FortiGate firewalls, FortiOS operating system, FortiProxy secure web gateways, and FortiPAM privileged access management solutions are used by thousands of enterprises, service providers, and government agencies worldwide. The company is a leader in the network security appliance market, and its products are often found at the core of critical infrastructure.
Technical Information
CVE-2025-57740 is a heap-based buffer overflow vulnerability (CWE-122) in the RDP bookmark connection feature of Fortinet's SSL VPN implementation. The flaw is present in FortiOS, FortiPAM, and FortiProxy. It is triggered when an authenticated user sends specially crafted requests during the establishment of an RDP bookmark connection through the SSL VPN web portal. The vulnerable code fails to perform sufficient bounds checking on input data related to RDP bookmark parameters, allowing attacker-controlled data to overflow the allocated heap buffer. This can corrupt adjacent memory and potentially allow execution of unauthorized code with the privileges of the affected process.
The vulnerability requires authenticated access to the SSL VPN portal, which means attackers must first obtain valid credentials. However, once authenticated, exploitation is possible remotely over the network. The flaw specifically impacts the handling of RDP bookmark data, which is used to configure and initiate Remote Desktop Protocol sessions via the SSL VPN interface. No public code snippets or proof of concept exploit are available for this vulnerability.
Patch Information
Fortinet has addressed the buffer overflow vulnerability in the fgfmd daemon by releasing updated versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The vulnerability, identified as CWE-124, could potentially allow remote attackers to execute arbitrary code or commands via specially crafted packets targeting the fgfmd daemon.
To mitigate this issue, Fortinet recommends upgrading to the following versions:
-
FortiOS:
- 7.4.4 or later
- 7.2.8 or later
- 7.0.15 or later
-
FortiProxy:
- 7.4.4 or later
- 7.2.10 or later
- 7.0.17 or later
-
FortiPAM:
- 1.3.0 or later
-
FortiSwitchManager:
- 7.2.4 or later
- 7.0.4 or later
For detailed upgrade paths and additional information, please refer to Fortinet's Product Security Incident Response Team (PSIRT) advisory.
Affected Systems and Versions (MUST BE SPECIFIC)
-
FortiOS:
- 7.6.2 and below
- 7.4.7 and below
- 7.2.10 and below
- All 7.0 versions
- All 6.4 versions
-
FortiPAM:
- 1.5.0
- 1.4.2 and below
- All 1.3 versions
- All 1.2 versions
- All 1.1 versions
- All 1.0 versions
-
FortiProxy:
- 7.6.2 and below
- 7.4.3 and below
- All 7.2 versions
- All 7.0 versions
The vulnerability is present when SSL VPN is enabled and RDP bookmarks are configured. Only authenticated users can trigger the flaw.
Vendor Security History
Fortinet has experienced several critical vulnerabilities in its SSL VPN implementations in recent years. Notable examples include CVE-2022-42475 and CVE-2023-27997, both heap-based buffer overflows that allowed code execution. Fortinet typically releases timely patches for supported versions but requires migration for unsupported branches. The recurrence of memory safety issues in SSL VPN components suggests a need for ongoing improvement in secure development and code review processes.