The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
CVSSv3 Score: 9.1
A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.Fortinet has observed this to be exploited in the wild
Revised on 2025-11-14 00:00:00
CVSSv3 Score: 4.0
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS cw_stad daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Revised on 2025-11-03 00:00:00
CVSSv3 Score: 8.0
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.7
An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS, FortiPAM and FortiProxy RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.5
An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientMac may allow an unauthenticated attacker to execute arbitrary code on the victim's host via tricking the user into visiting a malicious website.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.0
An Uncontrolled Search Path Element vulnerability [CWE-427] in FortiClient Windows may allow a local low privileged user to perform a DLL hijacking attack via placing a malicious DLL to the FortiClient Online Installer installation folder.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.2
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiADC may allow an authenticated attacker to obtain sensitive data via crafted HTTP or HTTPS requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 3.9
An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS and FortiProxy explicit web proxy may allow an authenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.2
An Insertion of Sensitive Information into Log File [CWE-532] vulnerability in FortiDLP Windows Agent installer may allow an authenticated attacker to pollute the agent pool via re-using the enrollment code.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.0
An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager fgfm daemon may allow an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.5
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS, FortiManager, FortiAnalyzer, FortiManager Cloud, FortiAnalyzer Cloud, FortiProxy fgfmd daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.7
An heap-based buffer overflow vulnerability [CWE-122] in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiSwitchManager nodejs daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.2
An improper authorization vulnerability [CWE-285] in FortiOS & FortiProxy may allow an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 7.0
An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in the FortiIsolator authentication mechanism may allow a remote unauthenticated attacker to deauthenticate logged in admins via a crafted cookie and a remote authenticated read-only attacker to gain write privilege via a crafted cookie.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 2.6
An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.2
An Insertion of Sensitive Information Into Sent Data Vulnerability in Fortimanager, FortiMail, FortiNDR, FortOS, FortiPAM, FortiProxy, FortiRecorder, FortiTester, FortiVoice, FortiWeb csfd daemon may allow a remote authenticated attacker to read small and non-arbitrary parts of memory.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.3
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 7.0
An Incorrect Permission Assignment for Critical Resource vulnerability [CWE-732] in FortiClientMac may allow a local attacker to run arbitrary code or commands via LaunchDaemon hijacking.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.2
An improper authentication vulnerability [CWE-287] in FortiAnalyzer may allow an unauthenticated attacker to obtain information pertaining to the device's health and status, or cause a denial of service via crafted OFTP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.8
An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiClient MacOS installer may allow a local user to escalate their privileges via FortiClient related executables.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 2.5
An Unchecked Return Value vulnerability [CWE-252] in FortiOS API may allow an authenticated user to cause a Null Pointer Dereference, crashing the http daemon via a specialy crafted request.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 4.5
An Improper Neutralization of Input During Web Page Generation and URL Redirection to Untrusted Site vulnerabilities [CWE-79, CWE-601] in FortiOS, FortiProxy and FortiSASE may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) or an open redirect attack via crafted HTTP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 7.2
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiDLP Agent's Outlookproxy plugin for Windows and MacOS may allow an authenticated attacker to escalate their privileges to LocalService or Root privilege via sending a crafted request to a local listening port.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.1
An Exposure of Private Personal Information ('Privacy Violation') vulnerability [CWE-359] in FortiDLP may allow an authenticated windows administrator to collect current user's email information
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.6
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR may allow an attacker who has already obtained a non-login low privileged shell access to perform a local privilege escalation via crafted commands.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 5.3
A concurrent execution using shared resource with improper synchronization ('Race Condition') vulnerability [CWE-362] in FortiAnalyzer may allow an attacker to attempt to win a race condition to bypass the FortiCloud SSO authorization via crafted FortiCloud SSO requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 7.8
An Incorrect Provision of Specified Functionality vulnerability [CWE-684] in FortiOS may allow a local authenticated attacker to execute system commands via crafted CLI commands.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.3
A stack-based buffer overflow vulnerability [CWE-121] in FortiOS and FortiProxy may allow an authenticated attacker to achieve arbitrary code execution via certain CLI commands.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.1
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSIEM may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP requests.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 7.4
A Weak authentication vulnerability [CWE 1390] in FortiPAM and FortiSwitch Manager WAD/GUI may allow an attacker to bypass the authentication process via a brute-force attack.
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.8
An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiOS and FortiProxy ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections to the ZTNA proxy
Revised on 2025-10-14 00:00:00
CVSSv3 Score: 6.3
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS and FortiProxy may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component.
Revised on 2025-09-15 00:00:00
CVSSv3 Score: 6.5
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiDDoS-F CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests.
Revised on 2025-09-09 00:00:00
CVSSv3 Score: 4.7
A Relative Path Traversal vulnerability [CWE-23] in FortiWeb may allow an authenticated attacker to perform an arbitrary file read on the underlying system via crafted requests.
Revised on 2025-09-09 00:00:00
CVSSv3 Score: 5.2
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiManager & FortiManager Cloud may allow an authenticated remote attacker to overwrite arbitrary files via FGFM crafted requests.
Revised on 2025-08-13 00:00:00
CVSSv3 Score: 4.2
Multiple relative path traversal vulnerabilities [CWE-23] in FortiMail, FortiVoice, FortiRecorder, FortiCamera & FortiNDR may allow a privileged attacker to read files from the underlying filesystem via crafted CLI requests.
Revised on 2025-08-13 00:00:00
CVSSv3 Score: 7.7
An improper handling of parameters [CWE-233] vulnerability in FortiWeb may allow an unauthenticated remote attacker in possession of non-public information (pertaining to both the device and to the targeted user) to log in as any existing user on the device via a specially crafted request.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.7
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI commands
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.5
A improper neutralization of special elements used in an os command ('os command injection') vulnerability [CWE-78] in FortiWeb CLI may allow a privileged attacker to execute arbitrary code or command via crafted CLI commands.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.3
A double free vulnerability [CWE-415] in FortiOS, FortiProxy & FortiPAM administrative interfaces may allow a privileged attacker to execute code or commands via crafted HTTP or HTTPs requests.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.8
An incorrect privilege assignment vulnerability [CWE-266] in FortiOS Security Fabric may allow a remote authenticated attacker with high privileges to escalate their privileges to super-admin via registering the device to a malicious FortiManager.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 4.8
An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiOS, FortiPAM and FortiProxy SSL-VPN RDP and VNC bookmarks may allow an authenticated user to affect the device SSL-VPN availability via crafted requests.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.6
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiADC may allow a remote and authenticated attacker with low privilege to execute unauthorized code via specifically crafted HTTP parameters.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.4
A relative path traversal vulnerability [CWE-23] in FortiSOAR may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 9.8
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.Practical exploit code for this vulnerability was found in the wild.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.3
A stack-based buffer overflow vulnerability [CWE-121] in FortiWeb CLI may allow a privileged attacker to execute arbitrary code or commands via crafted CLI commands
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 7.9
An authentication bypass using an alternate path or channel [CWE-288] vulnerability in FortiOS, FortiProxy & FortiPAM may allow an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 6.2
An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR WEB UI may allow an authenticated remote attacker to perform an XSS attack via stored malicious service requests
Revised on 2025-08-12 00:00:00
CVSSv3 Score: 5.9
CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
Revised on 2025-07-30 00:00:00
CVSSv3 Score: 9.6
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.Fortinet has observed this to be exploited in the wild on FortiWeb.
Revised on 2025-07-18 00:00:00