Published on October 15, 2025
FortiPAM & FortiSwitch Manager Flaw Allows Attackers to Bypass Authentication
Severity
High
Fortinet recently revealed a high-severity security flaw impacting its FortiPAM and FortiSwitch Manager products, which could allow attackers to bypass authentication through brute-force techniques. Identified as CVE-2025-49201, the vulnerability was internally discovered by Gwendal Guégniaud from Fortinet’s Product Security team and publicly disclosed on October 14, 2025. The issue arises from a weak authentication mechanism (CWE-1390) in the WAD/GUI components, enabling unauthorized access attempts over the network.
With a CVSS v3.1 score of 7.4, the flaw poses a serious threat, especially for internet-exposed systems, as exploitation requires no user interaction or existing privileges. Successful attacks could lead to code execution, system takeover, data theft, or lateral movement within the network.
The vulnerability affects multiple FortiPAM versions (1.0 – 1.5.0) and FortiSwitchManager versions (7.2.0 – 7.2.4). Fortinet has addressed the issue in FortiPAM 1.4.3 and 1.5.1, and FortiSwitchManager 7.2.5. However, older FortiPAM versions (1.0 – 1.3) do not have available patches and must be fully migrated to supported releases. Versions 1.6 and 1.7 of FortiPAM, and 7.0 of FortiSwitchManager, are confirmed not affected. Given the risk level, Fortinet strongly recommends that administrators assess their environments and act quickly to secure vulnerable systems.
| CVE Number | Description | CVSS Score (Severity) |
| CVE-2025-49201 | A weak authentication in Fortinet FortiPAM 1.5.0, 1.4.0 through 1.4.2, 1.3.0 through 1.3.1, 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests | 7.4 (High) |
Affected Products
| Version | Affected | Solution |
| FortiPAM 1.7 | Not affected | Not Applicable |
| FortiPAM 1.6 | Not affected | Not Applicable |
| FortiPAM 1.5 | 1.5.0 | Upgrade to 1.5.1 or above |
| FortiPAM 1.4 | 1.4.0 through 1.4.2 | Upgrade to 1.4.3 or above |
| FortiPAM 1.3 | 1.3 all versions | Migrate to a fixed release |
| FortiPAM 1.2 | 1.2 all versions | Migrate to a fixed release |
| FortiPAM 1.1 | 1.1 all versions | Migrate to a fixed release |
| FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiSwitchManager 7.0 | Not affected | Not Applicable |
Recommendation
Organizations should immediately upgrade affected systems to the latest fixed versions or migrate unsupported versions to the latest available builds.
Priority should be given to internet-facing systems or environments with external management exposure. Security teams are advised to validate patch deployment across all assets, ensure version consistency, and document remediation progress for audit and compliance tracking.
Continuous monitoring of Fortinet’s advisories and threat intelligence feeds is also recommended to stay informed of any exploitation attempts or related vulnerabilities.
Source
https://gbhackers.com/fortipam-fortiswitch-manager-flaw/