virus logo PSIRT

Double free in automation-stitch

Summary

A double free vulnerability [CWE-415] in FortiOS, FortiProxy & FortiPAM administrative interfaces may allow a privileged attacker to execute code or commands via crafted HTTP or HTTPs requests.

Version Affected Solution
FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiOS 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiOS 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above
FortiOS 6.4 6.4 all versions Migrate to a fixed release
FortiPAM 1.7 Not affected Not Applicable
FortiPAM 1.6 Not affected Not Applicable
FortiPAM 1.5 Not affected Not Applicable
FortiPAM 1.4 Not affected Not Applicable
FortiPAM 1.3 Not affected Not Applicable
FortiPAM 1.2 Not affected Not Applicable
FortiPAM 1.1 1.1 all versions Migrate to a fixed release
FortiPAM 1.0 1.0 all versions Migrate to a fixed release
FortiProxy 7.6 Not affected Not Applicable
FortiProxy 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiProxy 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiProxy 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

FortiSASE: Issue remediated Q3/23

Acknowledgement

Internally discovered and reported by Aaron Li from Fortinet's FortiOS development team.

Timeline

2025-08-12: Initial publication
IR Number FG-IR-23-209
Published Date Aug 12, 2025
Component GUI
Severity Medium
Discovered Internal
Attack Type Unauthenticated
Known Exploited No
CVSSv3 Score 6.3
Impact Execute unauthorized code or commands
CVE ID
Download

CVRF

CSAF