The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
CVSSv3 Score: 5.9
A key management error vulnerability [CWE-320] in FortiManager, FortiAnalyzer and FortiPortal may allow an authenticated admin to retrieve a certificate's private key via the device's admin shell.
Revised on 2025-12-10 00:00:00
CVSSv3 Score: 6.2
An Improper access control vulnerability [CWE-284] in FortiSOAR may allow Information disclosure to an authenticated attacker via crafted requests
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 7.1
A reliance on cookie without validation or integrity checking vulnerability [CWE-565] in FortiWeb may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies requiring knowledge of the FortiWeb serial number.FortiAppSec Cloud is NOT impacted by this vulnerability.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 4.4
A use of password hash instead of password for authentication vulnerability [CWE-836] in FortiWeb may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.5
An Unverified Password Change vulnerability [CWE-620] in FortiSOAR may allow an attacker who gained access to a victim's user account to reset the account credentials without being prompted for the account's password
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.4
An Incorrect Authorization vulnerability [CWE-863] in FortiPortal may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.3
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS, FortiProxy, FortiPAM and FortiSRA may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration).
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 5.3
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSLVPN may allow an attacker to maintain access to network resources via an active session not terminated after a user's password change under particular conditions outside of the attacker's control
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 2.6
A Direct Request ('Forced Browsing') [CWE-425] vulnerability in FortiAuthenticator logs may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 9.1
An Improper Verification of Cryptographic Signature vulnerability[CWE-347] in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager mayallow an unauthenticated attacker to bypass the FortiCloud SSO loginauthentication via a crafted SAML message, if that feature is enabled on the device.Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page, FortiCloud SSO login is enabled upon registration. To prevent being affected by this vulnerability on vulnerableversions, please turn off the FortiCloud login feature (if enabled) temporarily untilupgrading to a non-affected version.To turn off FortiCloud login, go to System -> Settings -> Switch"Allow administrative login using FortiCloud SSO" to Off. Or type thefollowing command in the CLI:config system global set admin-forticloud-sso-login disableend
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.7
An OS command injection vulnerabtility [CWE-78] in FortiExtender API may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.8
An improper neutralization of special elements used in an SQL command ('SQL injection') [CWE-89] in FortiVoice may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.9
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox GUI may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 7.0
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 7.7
Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] in FortiVoice may allow a privileged authenticated attacker to write arbitrary files via specifically HTTP or HTTPS commands.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 2.6
An improper access control vulnerability [CWE-284] in FortiAuthenticator Web UI may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 5.3
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an attacker to perform an XSS attack via crafted HTTP requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 5.9
CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
Revised on 2025-11-24 00:00:00
CVSSv3 Score: 6.9
A stack-based overflow vulnerability [CWE-124] in FortiOS CAPWAP daemon may allow a remote unauthenticated attacker on an adjacent network to achieve arbitrary code execution via sending specially crafted packets. Note that in the default configuration, the attacker must be in control of an authorized FortiAP for the attack to succeed and have access to the same local IP subnet. Additionally, successful exploitation would require defeating stack protection and ASLR.
Revised on 2025-11-21 00:00:00
CVSSv3 Score: 6.9
A stack-based overflow vulnerability [CWE-124] in FortiOS and FortiSwitchManager CAPWAP daemon may allow a remote authenticated attacker to execute arbitrary code or command as a low privileged user via specially crafted packets.Successful exploitation would require a large amount of effort in preparation because of stack protection and ASLR. Additionally, attacker must be able to pose as an authorized FortiAP or FortiExtender.
Revised on 2025-11-21 00:00:00
CVSSv3 Score: 7.1
An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] in FortiClient Windows may allow an authenticated local user to execute unauthorized code via fortips driver. Success of the attack would require bypassing the Windows memory protections such as Heap integrity and HSP. In addition, it requires a valid and running VPN IPSec connection.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 6.3
A buffer overflow vulnerability [CWE-120] in FortiExtender json_cli may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 7.1
A Heap-based Buffer Overflow vulnerability [CWE-122] in FortiClient Windows may allow an authenticated local IPSec user to execute arbitrary code or commands via "fortips_74.sys" driver. The attacker would need to bypass the Windows heap integrity protections.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 3.9
A CRLF Header Injection vulnerability [CWE-93] in FortiMail user GUI may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 3.8
A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in FortiPAM may allow an authenticated attacker with read-write admin privileges to the CLI to obtain other administrators' credentials via diagnose commands.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 5.2
An insufficiently protected credentials vulnerability [CWE-522] in FortiExtender may allow an authenticated user to obtain administrator credentials via debug log commands.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 5.0
An Improper Isolation or Compartmentalization vulnerability [CWE-653] in FortiSandbox may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 4.9
An active debug code vulnerability [CWE-489] in FortiClientWindows may allow a local attacker to run the application step by step and retrieve the saved VPN user password
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 3.9
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiADC Logs may allow an admin with read-only permission to get the external resources password via the logs of the product.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 6.7
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.Fortinet has observed this to be exploited in the wild.FortiAppSec Cloud is NOT impacted by this vulnerability.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 6.3
An Out-of-bounds Write vulnerability [CWE-787] in FortiADC may allow an authenticated attacker to execute arbitrary code via specially crafted HTTP requests.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 7.7
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiVoice may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 1.8
An Improper Privilege Management vulnerability [CWE-269] in FortiOS, FortiProxy and FortiPAM may allow an authenticated administrator to bypass the trusted host policy via crafted CLI command.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 4.8
A use of hard-coded credentials vulnerability [CWE-798] in the internal redis services in FortiWeb may allow an authenticated attacker with shell access to the device to connect to any running redis service and access its data
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 4.2
An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability [CWE-80] in FortiADC virtual server's default error page may allow an unauthenticated attacker to execute malicious code via crafted URL.
Revised on 2025-11-18 00:00:00
CVSSv3 Score: 9.4
A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.Fortinet has observed this to be exploited in the wildFortiAppSec Cloud is NOT impacted by this vulnerability.
Revised on 2025-11-14 00:00:00
CVSSv3 Score: 4.0
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS cw_stad daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Revised on 2025-11-03 00:00:00
CVSSv3 Score: 2.1
An insufficiently protected credentials [CWE-522] vulnerability in FortiOS may allow a privileged authenticated attacker to retrieve LDAP credentials via modifying the LDAP server IP address in the FortiOS configuration to point to a malicious attacker-controlled server.
Revised on 2025-10-21 00:00:00
CVSSv3 Score: 8.0
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.7
An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS, FortiPAM and FortiProxy RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.5
An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientMac may allow an unauthenticated attacker to execute arbitrary code on the victim's host via tricking the user into visiting a malicious website.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.0
An Uncontrolled Search Path Element vulnerability [CWE-427] in FortiClient Windows may allow a local low privileged user to perform a DLL hijacking attack via placing a malicious DLL to the FortiClient Online Installer installation folder.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.2
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiADC may allow an authenticated attacker to obtain sensitive data via crafted HTTP or HTTPS requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.8
An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS and FortiProxy explicit web proxy may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.2
An Insertion of Sensitive Information into Log File [CWE-532] vulnerability in FortiDLP Windows Agent installer may allow an authenticated attacker to pollute the agent pool via re-using the enrollment code.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.0
An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager fgfm daemon may allow an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.5
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS, FortiManager, FortiAnalyzer, FortiManager Cloud, FortiAnalyzer Cloud, FortiProxy fgfmd daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.7
An heap-based buffer overflow vulnerability [CWE-122] in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiSwitchManager nodejs daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.2
An improper authorization vulnerability [CWE-285] in FortiOS & FortiProxy may allow an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 7.0
An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in the FortiIsolator authentication mechanism may allow a remote unauthenticated attacker to deauthenticate logged in admins via a crafted cookie and a remote authenticated read-only attacker to gain write privilege via a crafted cookie.
Revised on 2025-10-14 00:00:00