Medium

FortiAnalyzer / FortiManager API Denial of Service via Unsafe Function in Signal Handler

IdentifiersCVE-2025-67604CWE-676· Use of Potentially Dangerous…

CVE-2025-67604 is a medium-severity denial-of-service vulnerability in the API layer of Fortinet FortiAnalyzer and FortiManager. The issue is described as a use of potentially dangerous function vulnerability and is associated with unsafe function use in a signal handler. A remote authenticated attacker can send multiple specially crafted HTTP requests to the affected API and trigger crashes that can cause the system to hang. According to the available information, exploitation depends on an alignment of internal locks that is outside the attacker’s control, making successful triggering non-deterministic. Affected versions include FortiAnalyzer 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, all 7.2 versions, all 7.0 versions, and all 6.4 versions; and FortiManager 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, all 7.2 versions, all 7.0 versions, and all 6.4 versions.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can crash the affected FortiAnalyzer or FortiManager instance and cause a system hang, resulting in denial of service. In operational terms, this can disrupt centralized log collection and analysis in FortiAnalyzer and interfere with network management functions in FortiManager. The available information does not indicate code execution, privilege escalation, or data exposure from this flaw.

Mitigation

If you can’t patch tonight, do this now.

Restrict access to the FortiAnalyzer and FortiManager API to trusted administrative networks and authorized users only. Minimize exposure of management interfaces, enforce strong authentication, and monitor for bursts of malformed or repeated HTTP requests targeting the API that could indicate attempted exploitation. Because exploitation requires authenticated access, reducing the number of accounts with API access and applying network-layer controls can materially reduce risk until patches are applied.

Remediation

Patch, then assume compromise.

Upgrade affected FortiAnalyzer and FortiManager installations to vendor-fixed releases referenced in Fortinet advisory FG-IR-26-137. The provided content confirms that affected branches include 6.4, 7.0, 7.2, 7.4, and 7.6, but does not include the exact fixed version numbers for every branch. Fortinet’s PSIRT advisory page is the authoritative source for patch version details.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortinetFortianalyzeroperating_system

FortinetFortimanageroperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyberthroneNews

May 16, 2026

Fortinet Patch Tuesday - May 2026 - TheCyberThrone

A denial-of-service vulnerability in FortiAnalyzer and FortiManager caused by an unsafe function in a signal handler.

cyber security newsNews

May 12, 2026

Fortinet Patches Five Vulnerabilities Across FortiAP, FortiOS, and Enterprise Products

A medium-severity API-layer vulnerability in FortiAnalyzer and FortiManager that could allow an authenticated internal attacker to trigger denial of service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity