The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
CVSSv3 Score: 7.8
CVE-2026-31431In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
Revised on 2026-05-13 00:00:00
CVSSv3 Score: 4.0
An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEB UI may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 6.1
An improper neutralization of special elements used in an OS command ("OS Command Injection") vulnerability [CWE-78] in FortiAP, FortiAP-U & FortiAP-W2 CLI may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI requests.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 5.2
A use of potentially Dangerous Function vulnerability [CWE-676] in FortiAnalyzer and FortiManager API may allow an authenticated attacker to cause a system hang via multiple specially crafted HTTP requests causing crashes. This happens if internal locks are aligned, which is out of control of the attacker.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 2.1
A Missing Authorization [CWE-862] in FortiClient Windows may allow an authenticated local attacker to decrypt a currently logged in users VPN password via use of an unprotected DLL function.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 9.1
An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 9.1
A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 6.5
An OS command injection vulnerabtility [CWE-78] in FortiAP and FortiAP-W2 cli may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted cli command.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 5.0
An improper export of Android application components [CWE-926] in FortiTokenAndroid may allow other applications on the device to read the OTP code via an exported Content Provider URI.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 8.3
An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 6.3
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiMail may allow an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 5.1
An improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability [CWE-89] in FortiNDR may allow an authenticated attacker to execute arbitrary SQL commands on selected databases and tables via specifically crafted HTTP requests.
Revised on 2026-05-12 00:00:00
CVSSv3 Score: 6.7
An out-of-bounds write vulnerability [CWE-787] in FortiWeb CGI daemon may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP requests.
Revised on 2026-04-15 00:00:00
CVSSv3 Score: 6.7
An Improper authentication vulnerability [CWE-287] in FortiSOAR web GUI may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 6.2
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS and FortiSandbox Cloud WEB UI may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.
Revised on 2026-04-14 00:00:00
On March 31, 2026, the Axios npm package was compromised via a maintainer account takeover. Two malicious versions were published - axios@1.14.1 and axios@0.30.4 - which introduced a hidden dependency (plain-crypto-js@4.2.1) able to execute a post‑install script deploying a cross‑platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.1
A Storing Passwords in a Recoverable Format vulnerability [CWE-257] in FortiSOAR may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.1
A Storing Passwords in a Recoverable Format vulnerability [CWE-257] in FortiSOAR may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 6.2
A Cleartext Transmission of Sensitive Information vulnerability [CWE-319] in FortiSOAR may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 2.5
An Insufficiently protected credentials vulnerability [CWE-522] in FortiSanbox and FortiSanbox PaaS GUI may allow an authenticated administrator to read LDAP server credentials via client-side inspection.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 5.2
A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiClientEMS may allow an attacker in possession of an encrypted dump of the database to decrypt it.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 7.3
A heap-based buffer overflow vulnerability [CWE-122] in FortiAnalyzer Cloud oftpd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.4
An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiWeb may allow a privileged authenticated attacker to perform a denial of service of the system via crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 6.2
A missing authentication for critical function vulnerability [CWE-306] in FortiOS and FortiSwitchManager CAPWAP daemon may allow a local unauthenticated attacker on the same local IP subnet to write device configuration via specially crafted requests. To be successful, this attack requires the targeted FortiGate device to run a specific, non default configuration.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 6.2
Multiple Relative Path Traversal vulnerabilities [CWE-23] in FortiWeb may allow a local privileged attacker to execute unauthorized code on the underlying system via crafted CLI commands.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 7.1
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an authenticated attacker to run arbitrary SQL queries on the database via sending crafted requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.3
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow a privileged attacker to perform a stored XSS attack via crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 9.1
An Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 2.2
An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] in FortiNAC-F may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 5.4
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] in the command line interpreter of FortiOS, FortiPAM, FortiProxy and FortiSwitchManager may allow a privileged attacker to achieve arbitrary write or delete files via specifically crafted arguments to existing commands.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 5.4
An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 6.2
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSOAR may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.9
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow an attacker to perform an XSS attack via crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 7.9
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiDDoS-F may allow an authenticated attacker to run arbitrary SQL queries on the database by sending crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 6.8
An improper neutralization of special elements used in an SQL command ('SQL injection') [CWE-89] in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.1
A Server-Side request forgery (SSRF) vulnerability [CWE-918] in FortiSOAR may allow an authenticated attacker to discover services running on local ports via crafted requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 4.4
An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 9.1
A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 5.4
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiNDR and FortiVoice may allow a remote authenticated attacker with at least read-only permission on system maintenance to access backup information via crafted HTTP requests.
Revised on 2026-04-14 00:00:00
CVSSv3 Score: 9.1
An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely.
Revised on 2026-04-04 00:00:00
CVSSv3 Score: 6.7
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests.
Revised on 2026-03-26 00:00:00
CVSSv3 Score: 9.8
CVE-2025-15467Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Revised on 2026-03-13 00:00:00
CVSSv3 Score: 5.3
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via another vulnerability, at filesystem level.
Revised on 2026-03-12 00:00:00
CVSSv3 Score: 6.0
An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEBUI may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 3.4
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiManager and FortiAnalyzer may allow an attacker to bypass bruteforce protections via exploitation of race conditions.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 7.3
An Improper Control of Interaction Frequency vulnerability [CWE-799] in FortiWeb may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 7.7
A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability [CWE-120] in FortiSwitchAXFixed may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 7.0
A Stack-based Buffer Overflow vulnerability [CWE-121] in FortiManager fgtupdates service may allow a remote unauthenticated attacker to execute unauthorized commands via crafted requests, if the service is enabled. The success of the attack depends on the ability to bypass the stack protection mechanisms.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.5
A use of externally-controlled format string vulnerability [CWE-134] in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud fazsvcd daemon may allow a remote privileged attacker with admin profile to execute arbitrary code or commands via specially crafted requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 3.8
A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiMail, FortiVoice and FortiRecorder debug logs may allow an authenticated malicious administrator to obtain user's secrets via CLI commands.
Revised on 2026-03-10 00:00:00