October 2025 Fortinet and Ivanti Security Patches: Timely, High‑Severity Fixes and Guidance

As of October 15, 2025, Fortinet published multiple PSIRTs spanning an improper certificate validation issue in FortiOS/FortiProxy ZTNA (FG-IR-24-457), a restricted CLI command bypass on specific FortiGate hardware (FG-IR-24-361), authentication and session handling weaknesses in FortiIsolator (FG-IR-24-062), and a macOS LaunchDaemon permission flaw in FortiClientMac tracked as CVE-2025-57741 (FG-IR-25-664 via NVD). NVD also references weak authentication affecting FortiPAM and FortiSwitchManager as CVE-2025-49201 (FG-IR-25-010). Fixed versions are available per advisory and should be prioritized by internet exposure and management-plane criticality [1][2][3][5][6] (fortiguard.com).

Ivanti’s October 2025 Security Update disclosed vulnerabilities in Endpoint Manager Mobile (EPMM) and Neurons for MDM, with Neurons for MDM cloud tenants remediated on October 10, 2025. A separate October 7 advisory covers EPM mitigations. Ivanti reported no in‑the‑wild exploitation tied to the October disclosures at publication time, but prior U.S. government guidance on active exploitation of Ivanti gateways underscores the need for thorough post‑patch validation and hunting, especially on internet‑facing appliances [4][7] (ivanti.com).

KEV status: There have not been KEV entries associated with these advisories as of October 15, 2025; verify against the CISA Known Exploited Vulnerabilities catalog [7][8] (cisa.gov).

Overview

Fortinet’s ZTNA proxy in FortiOS and FortiProxy contains an improper host mismatch certificate validation flaw that can enable on‑path interception or tampering of ZTNA traffic to protected applications. Fortinet provided fixed versions in the 7.6 and 7.4 updates, and customers on older versions should plan migrations to supported fixed releases. This PSIRT was published October 14, 2025 (FG‑IR‑24‑457) [1] (fortiguard.com).

A separate FortiOS issue allows a local, authenticated user to bypass restricted CLI controls on specific FortiGate models, enabling unintended system‑level commands via crafted input. Fortinet published fixed builds across 7.6, 7.4, 7.2, and 7.0, and enumerates impacted hardware families in the advisory. This was also published October 14, 2025 (FG‑IR‑24‑361) [2] (fortiguard.com).

FortiIsolator exhibits authentication and session management weaknesses that can force administrative deauthentication via crafted cookies and permit read‑only users to perform write actions. Fortinet addresses these issues in FortiIsolator 2.4.5, with publication dated October 14, 2025 (FG‑IR‑24‑062) [3] (fortiguard.com).

On macOS endpoints, incorrect LaunchDaemon permissions in FortiClientMac enable local privilege escalation through daemon hijacking across multiple 7.x versions. This is tracked as CVE‑2025‑57741 and references Fortinet PSIRT FG‑IR‑25‑664 in NVD, which lists affected versions and fix availability [5] (nvd.nist.gov).

The NVD also references a weak authentication problem impacting FortiPAM and FortiSwitchManager as CVE‑2025‑49201 (FG‑IR‑25‑010), which could permit unauthorized actions via crafted HTTP requests on the management plane.  [6] (nvd.nist.gov).

Ivanti’s October 2025 Security Update covers issues in EPMM and Neurons for MDM, noting that Neurons for MDM cloud remediations were completed on October 10. Ivanti also issued an October 7 advisory for EPM with mitigation steps, and reported no observed exploitation related to these disclosures at the time of publication [4] (ivanti.com).

Impact

The ZTNA proxy flaw in FortiOS/FortiProxy exposes proxied sessions to on‑path interception or manipulation, creating opportunities for credential theft, data tampering, and policy bypass against apps assumed to be protected by ZTNA broker controls. The practical severity rises on networks where adversaries can gain on‑path positioning or where upstream certificate changes are not closely monitored [1] (fortiguard.com).

On affected FortiGate models, the restricted CLI bypass elevates risk from authenticated insiders or compromised admin workstations by enabling commands that can alter configuration state or establish persistence. While it requires authenticated access, the risk includes network segmentation, VPN policies, and inspection profiles that defenders rely on for containment [2] (fortiguard.com).

FortiIsolator’s session/authentication weaknesses can disrupt administrative continuity via forced logouts and, more critically, allow read‑only accounts to perform write operations, undermining the integrity of web isolation policies and potentially enabling covert bypasses of web access controls [3] (fortiguard.com).

FortiClientMac’s LaunchDaemon mis‑permissions present a classic local privilege escalation path. Although typically post‑compromise, attackers frequently combine LPE with persistence mechanisms and EDR evasion, making rapid endpoint updates and telemetry tuning essential [5] (nvd.nist.gov).

Weak authentication in FortiPAM and FortiSwitchManager threatens the management plane, where unauthorized administrative actions can translate into lateral movement and rapid privilege expansion across infrastructure managed via those platforms [6] (nvd.nist.gov).

Ivanti’s EPMM and Neurons for MDM issues affect device trust, identity, and enrollment—the lifelines of mobile fleet control. Even without reported exploitation in October, enterprises should assume higher scrutiny on MDM/Gateway edges and validate for subtle post‑patch anomalies in admin and enrollment activity [4] (ivanti.com).

Affected products and fixed versions

FortiOS/FortiProxy ZTNA certificate validation (FG‑IR‑24‑457): FortiOS 7.6.0–7.6.2 and 7.4.0–7.4.8 are affected, with all 7.2 and 7.0 releases advised to migrate; fixed in 7.6.3+ and 7.4.9+. FortiProxy 7.6.0–7.6.1 and 7.4.0–7.4.8 are affected, customers on 7.2 and 7.0 are also advised to move; fixed in 7.6.2+ and 7.4.9+. Customers should use Fortinet’s upgrade path guidance to reach supported fixed builds [1] (fortiguard.com).

FortiOS restricted CLI command bypass (FG‑IR‑24‑361): FortiOS 7.6.0; 7.4.0–7.4.5; 7.2.0–7.2.10; and 7.0.0–7.0.15 are impacted, with fixes in 7.6.1, 7.4.6, 7.2.11, and 7.0.16 respectively. The PSIRT lists affected models, including popular families such as 100F/101F, 2200E/2201E, 3600E/3601E, and the 7000 series [2] (fortiguard.com).

FortiIsolator authentication/session handling (FG‑IR‑24‑062): Versions 2.4.0–2.4.4 and the 2.3.x are affected, with remediation in 2.4.5. Review release notes for any additional hardening options enabled by the fix [3] (fortiguard.com).

FortiClientMac LaunchDaemon permissions (FG‑IR‑25‑664; CVE‑2025‑57741): FortiClientMac 7.4.0–7.4.3, 7.2.0–7.2.11, and 7.0.x are listed as affected in NVD. Apply the the fixed release and validate with endpoint telemetry for residual unsigned service artifacts [5] (nvd.nist.gov).

FortiPAM and FortiSwitchManager weak authentication (FG‑IR‑25‑010; CVE‑2025‑49201): Affected versions include FortiPAM 1.5.0; 1.4.0–1.4.2; 1.3.0–1.3.1; 1.2.0; 1.1.0–1.1.2; and 1.0.0–1.0.3, along with FortiSwitchManager 7.2.0–7.2.4. Update to the fixed releases referenced in the advisory to secure the management plane [6] (nvd.nist.gov).

Ivanti October 2025 advisories: Neurons for MDM vulnerabilities were disclosed and remediated on October 10, 2025 for; EPMM advisories were published with patching guidance; and EPM received an October 7 advisory with mitigations. Follow Ivanti’s update cadence and validation steps, noting the vendor’s statement of no observed exploitation for these disclosures at publication [4] (ivanti.com).

Exposure and exploitability

The Fortinet ZTNA proxy issue requires an adversary to obtain on‑path positioning before authentication, at which point session interception or tampering is feasible against proxied applications; user interaction is not required once on‑path. This elevates risk on networks with dynamic routes, misconfigured TLS inspection, or unmanaged certificate changes [1] (fortiguard.com).

The restricted CLI bypass on FortiGate requires authenticated local CLI access, but its impact is amplified on platforms that administrators routinely touch for changes, logging, and troubleshooting. Consider the scenario of a compromised admin workstation where this flaw becomes a stepping stone to broader configuration manipulation [2] (fortiguard.com).

FortiIsolator exposure straddles both unauthenticated and authenticated vectors: crafted cookies may force administrator deauthentication, while read‑only accounts can be elevated to write operations. That combination lowers barriers for insider misuse and for attackers who have harvested lower‑tier credentials [3] (fortiguard.com).

FortiClientMac’s LaunchDaemon flaw enables standard local privilege escalation via service hijacking, a common technique used to gain root on macOS prior to installing persistence and disabling security tooling. While typically post‑exploitation, rapid exploitation is realistic in hands‑on‑keyboard incidents [5] (nvd.nist.gov).

Weak authentication on FortiPAM/FortiSwitchManager sits on the management plane, where HTTP‑based access coupled with internet exposure can translate into unauthorized administrative actions; prioritize remediation and enforce strict access controls even after patching [6] (nvd.nist.gov).

For Ivanti EPMM and Neurons for MDM, Ivanti reported no observed exploitation in October; however, prior campaigns against Ivanti gateways justify deeper post‑patch validation for anomalous enrollments, admin logins from new ASNs, and configuration pushes outside change windows [4][7] (ivanti.com).

Detection and telemetry

For FortiOS and FortiProxy ZTNA, monitor TLS handshake characteristics to catch on‑path interference: flag SNI and certificate common name mismatches, sudden issuer changes, and unfamiliar intermediate CAs on ZTNA upstreams. Correlate ZTNA proxy error spikes and new administrative sessions with routing or SD‑WAN path changes that could reveal on‑path positioning attempts [1] (fortiguard.com).

On FortiGate platforms affected by the restricted CLI bypass, audit CLI command histories for forbidden or platform‑level commands and alert when low‑privilege or read‑only accounts issue configuration or system commands. Pair this with identity analytics to detect shared admin credentials or account use from atypical hosts [2] (fortiguard.com).

Within FortiIsolator, analyze authentication logs for repeated cookie parsing anomalies, sudden administrator session drops, and rapid transitions from read‑only to write privileges. Baseline normal admin session duration and privilege changes to spot deviations introduced by exploitation attempts [3] (fortiguard.com).

On macOS endpoints running FortiClientMac, collect telemetry on LaunchDaemon plist edits, unexpected ownership or permission changes under /Library/LaunchDaemons, unsigned binaries registered to Fortinet service names, and processes spawned by launchd gaining root unexpectedly. Tie these to user‑space activity to detect privilege‑escalation chains early [5] (nvd.nist.gov).

On FortiPAM and FortiSwitchManager, scrutinize management‑plane HTTP access for new admin user agents, geolocations, and ASNs; track failed‑to‑successful login ratios; and alert on configuration pushes outside standard maintenance windows. Rate‑limit and enforce MFA to reduce the risk even if credentials are exposed [6] (nvd.nist.gov).

For Ivanti EPMM, Neurons for MDM, and EPM, monitor device enrollment spikes, unexpected profile/policy deployments, token issuance surges, and new admin browser fingerprints or IP ranges following updates. Re‑run vendor integrity checks on internet‑exposed gateways and compare results against pre‑patch baselines to spot stealthy persistence [4][7] (ivanti.com).

Patching and compensating safeguards

Step 1—Inventory and classify: Build a current inventory of Fortinet and Ivanti systems, tagging internet‑exposed and management‑plane assets first. Include FortiOS/FortiProxy ZTNA gateways, FortiGate models cited in the restricted CLI PSIRT, FortiIsolator nodes, endpoints running FortiClientMac, FortiPAM/FortiSwitchManager controllers, and Ivanti EPMM/Neurons/EPM components [1][2][3][4][5][6] (fortiguard.com).

Step 2—Validate versions and read advisories: Confirm running versions on each asset and map them to affected/fixed releases. For Fortinet, follow PSIRT version matrices; for Ivanti, apply vendor guidance for each product line, noting the October 10 cloud remediation for Neurons for MDM and the October 7 EPM advisory [1][2][3][4] (ivanti.com).

Step 3—Back up and stage changes: Back up configurations and state, schedule maintenance windows, and stage rollouts by criticality (start with internet‑facing and management‑plane systems). Validate rollback steps in case of unexpected behavior post‑upgrade [1] (fortiguard.com).

Step 4—Apply updates: For Fortinet, use the upgrade path tool to reach the nearest supported fixed release and ensure interdependencies (e.g., FortiProxy and FortiOS pairings) are accounted for. For FortiClientMac and FortiPAM/FortiSwitchManager, apply the fixed versions referenced in NVD and Fortinet PSIRTs. For Ivanti, confirm Neurons for MDM cloud updates landed on October 10 [4][5][6] (nvd.nist.gov).

Step 5—Post‑patch validation: Reboot where required, run health checks, and compare telemetry to pre‑patch baselines—especially admin logins, enrollments, profile pushes, ZTNA error rates, and TLS issuer chains. Re‑run vendor integrity checks on Ivanti gateways given prior exploitation history [4][7] (cisa.gov).

Step 6—Compensating safeguards: Rotate admin credentials and API tokens, enforce MFA everywhere on the management plane, restrict admin access by IP allowlist or VPN, and tighten TLS validation or pinning for ZTNA upstreams. Increase log retention and alerting sensitivity for one to two weeks after patching to catch late‑stage or opportunistic activity [1][2][3][4][5][6] (fortiguard.com).

Timeline

October 14, 2025: Fortinet published FG‑IR‑24‑457 (ZTNA certificate validation), FG‑IR‑24‑361 (restricted CLI command bypass), and FG‑IR‑24‑062 (FortiIsolator). On the same day, NVD added entries referencing FortiClientMac LaunchDaemon permissions (FG‑IR‑25‑664, CVE‑2025‑57741) and weak authentication in FortiPAM/FortiSwitchManager (FG‑IR‑25‑010, CVE‑2025‑49201).

October 10 and October 14: Ivanti announced that Neurons for MDM was remediated on October 10 and published updates and mitigations for EPMM and EPM, with no observed exploitation reported for these October disclosures. Contextual guidance earlier in 2025 from CISA on Ivanti gateway exploitation continues to inform heightened post‑patch validation expectations [1][2][3][4][5][6][7] (fortiguard.com).

References

  1. Fortinet PSIRT FG‑IR‑24‑457 – ZTNA Server Improper Certificate Validation (FortiOS/FortiProxy) [vendor] (https://www.fortiguard.com/psirt/FG-IR-24-457)
  2. Fortinet PSIRT FG‑IR‑24‑361 – Restricted CLI Command Bypass (FortiOS; specific FortiGate models) [vendor] (https://www.fortiguard.com/psirt/FG-IR-24-361)
  3. Fortinet PSIRT FG‑IR‑24‑062 – FortiIsolator Authentication/Session Handling [vendor] (https://www.fortiguard.com/psirt/FG-IR-24-062)
  4. Ivanti Blog – October 2025 Security Update (EPMM, Neurons for MDM; EPM advisory/mitigations; no exploitation reported) [vendor] (https://www.ivanti.com/blog/october-2025-security-update)
  5. NVD – CVE‑2025‑57741 referencing Fortinet PSIRT FG‑IR‑25‑664 (FortiClientMac LaunchDaemon permissions) [NVD] (https://nvd.nist.gov/vuln/detail/CVE-2025-57741)
  6. NVD – CVE‑2025‑49201 referencing Fortinet PSIRT FG‑IR‑25‑010 (FortiPAM/FortiSwitchManager weak authentication) [NVD] (https://nvd.nist.gov/vuln/detail/CVE-2025-49201)
  7. CISA – Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways [CISA] (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b)
  8. CISA – Known Exploited Vulnerabilities Catalog [CISA] (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Cathy Gaphty

Cathy is a cybersecurity-focused technical writer who turns complex security concepts into clear, usable content for practitioners and decision-makers. She partners with security engineers, analysts, and product teams to create architecture guides, API references, runbooks, and user documentation for the Léargas Security platform, and its integrated systems. Her work supports incident response, threat detection, and compliance initiatives aligned to frameworks such as NIST CSF and ISO 27001.

Cathy favors a docs-as-code approach with Git and Markdown, validating steps in lab environments to ensure accuracy down to commands and configurations. Known for crisp, audience-specific writing and meticulous reviews, she bridges the gap between security theory and day-to-day operations.

    Recommended Posts

    Fortinet Authentication Bypass Vulnerabilities Exploited
    Critical Dell RecoverPoint Vulnerability (CVE‑2026‑22769): Active Exploitation and Patch Guidance
    AI‑Driven Threat Intelligence: OSINT, XDR Integration, and Local LLM Processing
    FortiOS SSL VPN Improper Authentication Vulnerability (CVE-2020-12812): Active Exploitation and Immediate Mitigation Guidance