Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

FortiPAM and FortiSwitch Manager Vulnerability Let Attackers Bypass Authentication Process (CVE-2025-49201)

Published on: October 30, 2025

Share:
FortiPAM and FortiSwitch Manager Vulnerability Let Attackers Bypass Authentication Process (CVE-2025-49201)

Overview

CVE-2025-49201 is a critical authentication vulnerability affecting the Web Administration Daemon/Graphical User Interface (WAD/GUI) components of FortiPAM and FortiSwitch Manager. First disclosed in mid-October 2025, this flaw allows unauthenticated attackers to send crafted HTTP(S) requests that result in unauthorized command or code execution on vulnerable devices. Because these products manage privileged network access and core switching infrastructure, exploitation can provide attackers with a strong foothold for lateral movement, operational disruption, and ongoing network compromise. Patched updates are available, but unpatched systems remain highly vulnerable.

Who It Impacts

  • Organizations using FortiPAM for privileged access management.
  • Organizations using FortiSwitch Manager for network switch administration.
  • Security teams responsible for managing access control and network configuration.
  • Any infrastructure relying on these devices for administrative and operational workflows.

How It Impacts

  • Unauthorized command execution on management devices.
  • Administrative takeover of privileged access workflows and switch configurations.
  • Network visibility and control enabling traffic interception, pivoting, or lateral movement.
  • Operational disruption due to manipulated configurations, service restarts, or policy changes.
  • High blast radius because the vulnerability affects the management plane of core network infrastructure.

Targeted Products

 

ProductAffected VersionsFixed Versions
FortiPAM1.5.0, 1.4.0–1.4.2, all 1.3.x / 1.2.x / 1.1.x / 1.0.x1.5.1, 1.4.3
FortiSwitch Manager7.2.0–7.2.47.2.5

 

Recommendations

  1. Patch Immediately:
    • FortiPAM ? 1.5.1 / 1.4.3
    • FortiSwitch Manager ? 7.2.5
  2. Restrict Management Interfaces:
    • Remove internet exposure.
    • Allowlist admin sources via trusted VLANs or OOB networks.
  3. Enforce Strong Authentication:
    • Enable MFA for all administrative access.
    • Remove stale accounts and validate RBAC privileges.
  4. Credential Hygiene:
    • Rotate admin credentials if compromise is suspected.
    • Verify configuration integrity and audit for unauthorized changes.
  5. Monitoring & Detection:
    • Map version exposure of all FortiPAM/FortiSwitch deployments.
    • Alert on malformed or unexpected HTTP(S) requests to admin endpoints.
    • Monitor for new/modified admin accounts, unexpected password or policy changes, and spontaneous service restarts.
    • Correlate logs with EDR and identity telemetry to detect lateral movement attempts.

Conclusion

CVE-2025-49201 and related Fortinet WAD/GUI vulnerabilities pose a serious risk to network management systems. Improper authentication can allow unauthorized command execution, leading to potential service disruption, privilege escalation, and persistent access by attackers.

References

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-fortinet-products-could-allow-for-remote-code-execution_2025-040

https://cybersecuritynews.com/fortipam-and-fortiswitch-manager-vulnerability/

https://gbhackers.com/fortipam-fortiswitch-manager-flaw/#google_vignette

https://nvd.nist.gov/vuln/detail/CVE-2025-49201

← Back to all bulletins