rss-bridge 2026-02-10T20:19:12+00:00

Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for arbitrary code execution.

FortiAuthenticator is a centralized identity and access management (IAM) solution that secures network access by managing user identities, Multi-Factor Authentication (MFA), and certificate management.FortiClientEMS is a centralized management platform for deploying, configuring, monitoring, and enforcing security policies across numerous endpoints (computers) running the FortiClient agent.FortiClient is a Fabric Agent that delivers protection, compliance, and secure access in a single, modular lightweight client.FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines.FortiSandbox is an advanced threat detection solution from Fortinet that uses sandboxing to analyze suspicious files and network traffic for advanced threats like zero-day malware and ransomware.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2026-012

DATE(S) ISSUED:

02/10/2026

OVERVIEW:

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for arbitrary code execution.

FortiAuthenticator is a centralized identity and access management (IAM) solution that secures network access by managing user identities, Multi-Factor Authentication (MFA), and certificate management.
FortiClientEMS is a centralized management platform for deploying, configuring, monitoring, and enforcing security policies across numerous endpoints (computers) running the FortiClient agent.
FortiClient is a Fabric Agent that delivers protection, compliance, and secure access in a single, modular lightweight client.
FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines.
FortiSandbox is an advanced threat detection solution from Fortinet that uses sandboxing to analyze suspicious files and network traffic for advanced threats like zero-day malware and ransomware.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

FortiAuthenticator 6.3 all versions
FortiAuthenticator 6.4 all versions
FortiAuthenticator 6.5 all versions
FortiAuthenticator 6.6.0 through 6.6.6
FortiClientEMS 7.4.4
FortiClientWindows 7.0 all versions
FortiClientWindows 7.2.0 through 7.2.12
FortiClientWindows 7.4.0 through 7.4.4
FortiOS 6.4 all versions
FortiOS 7.0 all versions
FortiOS 7.2 all versions
FortiOS 7.2.0 through 7.2.11
FortiOS 7.4.0 through 7.4.6
FortiOS 7.4.0 through 7.4.9
FortiOS 7.6.0 through 7.6.4
FortiSandbox 4.0 all versions
FortiSandbox 4.2 all versions
FortiSandbox 4.4.0 through 4.4.7
FortiSandbox 5.0.0 through 5.0.1

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentMEDIUM

Businesses:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

Home Users:

LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

Tactic: Initial Access (TA0001)

Technique: Exploitation Public-Facing Application (T1190):

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. (CVE-2026-21643)
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an unauthenticated attacker to execute commands via crafted requests. (CVE-2025-52436)
An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration. (CVE-2026-22153)

Details of lower severity vulnerabilities:

An Improper Link Resolution Before File Access vulnerability [CWE-59] in FortiClient Windows may allow a local low-privilege attacker to perform an arbitrary file write with elevated permissions via crafted named pipe messages. (CVE-2025-62676)
An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] in FortiOS FSSO Terminal Services Agent may allow an authenticated user with knowledge of FSSO policy configurations to gain unauthorized access to protected network resources via crafted requests. (CVE-2025-62439)
A Use of Externally-Controlled Format String vulnerability [CWE-134] in FortiGate may allow an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. (CVE-2025-64157)
A missing authorization vulnerability [CWE-862] in FortiAuthenticator may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint. (CVE-2026-21743)
An HTTP request smuggling vulnerability [CWE-444] in FortiOS may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header. (CVE-2025-55018)
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. (CVE-2025-68686)

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Fortinet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

[...]

*Original source*