CVE-2025-64157

CWE-134Uncontrolled Format String6 documents6 sources
Severity
7.2HIGH
EPSS
0.0%
top 96.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortios
Timeline
PublishedFeb 10

Description

A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDfortinet/fortios7.0.07.4.10+1
CVEListV5fortinet/fortios7.6.07.6.4+3

🔴Vulnerability Details

2
GHSA
GHSA-gq6x-9gv4-v98h: A use of externally-controlled format string vulnerability in Fortinet FortiOS 72026-02-10
CVEList
CVE-2025-64157: A use of externally-controlled format string vulnerability in Fortinet FortiOS 72026-02-10

📋Vendor Advisories

1
Fortinet
Format String Vulnerability in CAPWAP fast-failover mode2026-02-10

🕵️Threat Intelligence

1
Wiz
CVE-2025-64157 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-64157 (HIGH CVSS 7.2) | A use of externally-controlled form | cvebase.io