Fortinet patches multiple vulnerabilities including FortiManager fgtupdates stack overflow enabling remote command execution
Fortinet issued a broad security update addressing 11 vulnerabilities across products including FortiManager, FortiAnalyzer, FortiSwitch, and FortiSandbox, spanning issues such as authentication weaknesses, buffer overflows, OS command injection, and SQL injection. The most operationally significant items include vulnerabilities that could enable remote command execution or privilege escalation in unpatched enterprise environments; one highlighted flaw is a stack-based buffer overflow in FortiManager’s fgtupdates service (CVE-2025-54820, Fortinet advisory FG-IR-26-098), which can be triggered via crafted requests when the service is enabled.
Separate vendor advisories published around the same time cover unrelated products and should not be conflated with Fortinet’s update: HPE Aruba patched AOS-CX switch OS issues including a critical auth bypass (CVE-2026-23813) that can allow unauthenticated attackers to reset admin passwords via the web management interface, while F5 published “not affected” notices for an Apache Solr input-validation issue in the “create core” API (CVE-2026-22444) that can lead to unauthorized filesystem path reads (and potential NTLM hash disclosure on Windows with UNC paths), and for an Intel 800 Series Ethernet Linux driver input-validation flaw (CVE-2025-24325) that may allow local privilege escalation on certain F5 appliance lines.
Timeline
Apr 14, 2026
Fortinet expands April advisory set to 11 flaws across more product lines
On 2026-04-14, Fortinet disclosed a broader set of 11 vulnerabilities affecting FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The update highlighted critical unauthenticated FortiSandbox flaws, a high-severity cloud heap overflow, and additional medium- and low-severity issues such as missing authentication, credential exposure, XSS, path traversal, and SQL injection.
Apr 14, 2026
Fortinet issues April 2026 advisories for FortiSandbox and cloud products
On 2026-04-14, Fortinet published security advisories for multiple products including FortiSandbox, FortiAnalyzer Cloud, FortiManager Cloud, and FortiDDoS-F. The advisories addressed issues including OS command injection, unauthenticated authentication bypass and privilege escalation, a heap-based buffer overflow in the oftpd daemon, and SQL injection, and users were urged to apply updates.
Mar 10, 2026
Fortinet releases broader March 2026 advisory covering 11 vulnerabilities
Also on March 10, 2026, Fortinet issued a broader security update covering eleven vulnerabilities across FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox/FortiSandbox Cloud. The advisory highlighted urgent high-severity flaws including buffer overflows with potential remote code execution risk, alongside authentication bypass, MFA bypass, TLS validation, privilege escalation, SQL injection, format string, and stored XSS issues.
Mar 10, 2026
Fortinet discloses FortiManager fgtupdates buffer overflow flaw
On March 10, 2026, Fortinet published advisory FG-IR-26-098 for CVE-2025-54820, a high-severity stack-based buffer overflow in the FortiManager fgtupdates service that could let remote unauthenticated attackers execute unauthorized commands under certain conditions. Fortinet said affected on-prem versions include 7.4.0–7.4.2, 7.2.0–7.2.10, and all 6.4 releases, while FortiManager 7.6 and FortiManager Cloud are not affected.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Fortinet Patches Multiple Vulnerabilities Across FortiClient and Other Products
Fortinet released security updates addressing **22 vulnerabilities** across multiple products, including **FortiWeb**, **FortiSwitchAX**, **FortiManager**, and **FortiClient (Linux)**. The issues span multiple bug classes (e.g., **authentication bypass**, **heap-based buffer overflow**, and **cleartext storage of sensitive information**) and could enable outcomes such as security bypass, data tampering, denial-of-service, privilege escalation, information disclosure, and in some cases **unauthorized code/command execution**. Belgium’s CCB urged organizations to patch promptly and noted Fortinet reported **no evidence of active exploitation** at the time of the advisory. One of the patched flaws, **CVE-2026-24018** (CVSS **7.8**), was detailed by the **Zero Day Initiative (ZDI-26-186)** as a **local privilege escalation** vulnerability in *FortiClient*. ZDI reported the flaw stems from handling of certain shared objects: a local attacker with the ability to run low-privileged code can create a **symbolic link** to coerce a service into loading an arbitrary shared object, enabling execution of attacker-controlled code as **root**. Fortinet issued a fix and published vendor guidance under **FG-IR-26-083**.
1 months ago
Fortinet FortiOS/FortiSwitchManager Heap Buffer Overflow Enabling Remote Code Execution
Fortinet disclosed a **critical heap-based buffer overflow** (CWE-122) in the `cw_acd` daemon affecting **FortiOS** and **FortiSwitchManager**, which can allow **remote, unauthenticated attackers to execute arbitrary code or commands** via specially crafted network traffic. Impacted versions span multiple FortiOS branches (6.4 through 7.6), along with **FortiSASE** and FortiSwitchManager releases; Fortinet advised immediate upgrades (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+, 6.4.17+; FortiSwitchManager 7.2.7+ and 7.0.6+), and noted FortiSASE 25.2.b is remediated in 25.2.c. The issue was reported as discovered internally by Fortinet’s product security team, and public reporting indicated no CVE was initially listed at publication time. Separately, Fortinet also disclosed a **low-severity SSRF** in **FortiSandbox** tracked as **CVE-2025-67685** (FG-IR-25-783), where an authenticated, high-privilege user can craft GUI-driven HTTP requests to proxy traffic to internal plaintext endpoints (CWE-918). While this SSRF could enable internal service exposure or pivoting in segmented environments, it requires privileged access and was not reported as actively exploited; Fortinet recommended upgrading FortiSandbox (e.g., 5.0.5+ for 5.0.0–5.0.4) and migrating off legacy 4.x branches. For the FortiOS/FortiSwitchManager RCE, interim mitigations included removing **fabric** access from interfaces and restricting **CAPWAP-CONTROL** (UDP 5246–5249) to trusted sources via local-in policies.
1 months ago
Fortinet Discloses Critical Command Injection and SQL Injection Flaws
Fortinet disclosed two high-severity vulnerabilities affecting **FortiSandbox** and **FortiDDoS-F**, both of which could allow unauthorized code or command execution. **CVE-2026-39808** is an OS command injection flaw in FortiSandbox versions `4.4.0` through `4.4.8`, mapped to `CWE-78`, with a `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating remote exploitation without authentication and high impact across confidentiality, integrity, and availability. Fortinet also disclosed **CVE-2026-39815**, an SQL injection vulnerability in FortiDDoS-F versions `7.2.1` through `7.2.2`, mapped to `CWE-89`. The flaw requires low privileges but may likewise enable unauthorized code or command execution, and carries a `CVSS 3.1` vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. The issues are tracked in Fortinet advisories **FG-IR-26-100** and **FG-IR-26-119**, respectively, expanding the vendor's latest set of appliance security fixes.
2 weeks ago