Login
CVSSv3 Score: 9.1
An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely.
Revised on 2026-04-04 00:00:00
CVSSv3 Score: 6.4
An Inclusion of Undocumented Features [CWE-1242] in FortiManager and FortiAnalyzer CLI may allow a remote authenticated read-only admin with CLI access to escalate their privilege via use of a hidden command.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.7
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests.
Revised on 2026-03-26 00:00:00
CVSSv3 Score: 7.0
A Stack-based Buffer Overflow vulnerability [CWE-121] in FortiManager fgtupdates service may allow a remote unauthenticated attacker to execute unauthorized commands via crafted requests, if the service is enabled. The success of the attack depends on the ability to bypass the stack protection mechanisms.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 5.6
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiAnalyzer and FortiAnalyzer-BigData API may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 5.1
An Improper Access Control vulnerability [CWE-284] in FortiSwitchAXFixed may allow an authenticated admin to execute system commands via a specifically crafted SSH config file.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.5
A use of externally-controlled format string vulnerability [CWE-134] in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud fazsvcd daemon may allow a remote privileged attacker with admin profile to execute arbitrary code or commands via specially crafted requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 7.4
A UNIX symbolic link (Symlink) Following vulnerability [CWE-61] in FortiClientLinux may allow a local and unprivileged user to escalate their privileges to root.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 4.1
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] in FortiSIEM's error page may allow a remote unauthenticated attacker to provide arbitrary data enabling a social engineering attack via spoofed URL parameters.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 3.8
A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiMail, FortiVoice and FortiRecorder debug logs may allow an authenticated malicious administrator to obtain user's secrets via CLI commands.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.8
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiManager and FortiAnalyzer multifactor authentication may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 5.9
A Stack-based Buffer Overflow vulnerability [CWE-121] in FortiWeb may allow a remote authenticated attacker to execute arbitrary code or commands via crafted HTTP requests. Success of the attack is conditioned to bypassing stack protection and ASLR.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 2.5
A NULL Pointer Dereference vulnerability [CWE-476] in FortiWeb may allow an authenticated attacker to crash the HTTP daemon via crafted HTTP requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 4.6
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox LDAP Server feature may allow an authenticated privileged attacker to execute code via crafted requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 5.5
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSOAR Agent Connector Bridge may allow an unauthenticated attacker to read files accessible to the fortisoar user on the system where the agent is deployed, via sending a crafted request to the agent port.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 7.7
A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability [CWE-120] in FortiSwitchAXFixed may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.0
An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEBUI may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 5.9
A Stack-based Buffer Overflow vulnerability [CWE-121] in FortiWeb may allow a remote authenticated attacker who can bypass stack protection and ASLR to execute arbitrary code or commands via crafted HTTP requests.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 5.0
An authentication bypass by spoofing [CWE-290] vulnerability in FortiWeb protected hostname feature may allow a remote unauthenticated attacker to bypass hostname restrictions via a specially crafted request.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.7
An OS Command Injection vulnerability [CWE-78] in FortiWeb API may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 7.3
An Improper Control of Interaction Frequency vulnerability [CWE-799] in FortiWeb may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.3
An improper certificate validation [CWE-295] vulnerability in the FortiManager GUI may allow a remote unauthenticated attacker to view confidential information via a man in the middle [MiTM] attack.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 3.4
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiManager and FortiAnalyzer may allow an attacker to bypass bruteforce protections via exploitation of race conditions.
Revised on 2026-03-10 00:00:00
CVSSv3 Score: 6.4
An Improper Link Resolution Before File Access vulnerability [CWE-59] in FortiClient Windows may allow a local low-privilege attacker to perform an arbitrary file write with elevated permissions via crafted named pipe messages.
Revised on 2026-02-10 00:00:00
CVSSv3 Score: 7.5
An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration.
Revised on 2026-02-10 00:00:00
CVSSv3 Score: 3.8
An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] in FortiOS FSSO Terminal Services Agent may allow an authenticated user with knowledge of FSSO policy configurations to gain unauthorized access to protected network resources via crafted requests.
Revised on 2026-02-10 00:00:00
CVSSv3 Score: 5.2
An HTTP request smuggling vulnerability [CWE-444] in FortiOS may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header
Revised on 2026-02-26 00:00:00
CVSSv3 Score: 5.3
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via another vulnerability, at filesystem level.
Revised on 2026-03-12 00:00:00
CVSSv3 Score: 6.8
A missing authorization vulnerability [CWE-862] in FortiAuthenticator may allow a read-only admin to make modification to local users via a file upload to an unprotected endpoint.
Revised on 2026-02-10 00:00:00
CVSSv3 Score: 7.9
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an unauthenticated attacker to execute commands via crafted requests.FortiSandbox PaaS versions 4.4.8 and 5.0.5 contains the fix for this vulnerability.
Revised on 2026-02-10 00:00:00
CVSSv3 Score: 6.7
A Use of Externally-Controlled Format String vulnerability [CWE-134] in FortiGate may allow an authenticated admin to execute unauthorized code or commands via specifically crafted configuration.
Revised on 2026-02-10 00:00:00
CVSSv3 Score: 9.1
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.This has been observed to be exploited in the wild.
Revised on 2026-02-06 00:00:00
CVSSv3 Score: 9.8
CVE-2025-15467Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Revised on 2026-03-13 00:00:00
CVSSv3 Score: 9.4
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiSwitchManager, FortiWeb may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page, FortiCloud SSO login is enabled upon registration. This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on 2026-01-22. In order to protect its customers from further exploit, Fortinet disabled FortiCloud SSO on FortiCloud side on 2026-01-26. It was re-enabled on 2026-01-27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function.FortiManager Cloud, FortiAnalyzer Cloud, FortiGate Cloud are NOT impacted.Setups with Custom IdP for SSO instead of FortiCloud are not impacted (including setups using FortiAuthenticator as the Custom IdP)
Revised on 2026-01-27 00:00:00
CVSSv3 Score: 9.3
An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiFone Web Portal page may allow an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests.
Revised on 2026-01-13 00:00:00
CVSSv3 Score: 9.4
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.
Revised on 2026-01-13 00:00:00
CVSSv3 Score: 3.4
A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in FortiSandbox may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests.
Revised on 2026-01-13 00:00:00
CVSSv3 Score: 5.7
An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in FortiVoice may allow a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests.
Revised on 2026-01-13 00:00:00
CVSSv3 Score: 7.4
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.The presence of security controls such as ASLR and PIE considerably raises the complexity and preparation effort required for exploitation.
Revised on 2026-02-23 00:00:00
CVSSv3 Score: 6.8
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Revised on 2026-01-13 00:00:00
CVSSv3 Score: 4.1
An externally controlled reference to a resource in another sphere vulnerability [CWE-610] in multiple products may allow an unauthenticated attacker to poison web caches between the device and the attacker via crafted HTTP requests, where the Host header points to an arbitrary webserver.
Revised on 2026-01-07 00:00:00
CVSSv3 Score: 2.6
A Direct Request ('Forced Browsing') [CWE-425] vulnerability in FortiAuthenticator logs may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 7.0
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 9.1
An Improper Verification of Cryptographic Signature vulnerability[CWE-347] in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager mayallow an unauthenticated attacker to bypass the FortiCloud SSO loginauthentication via a crafted SAML message, if that feature is enabled on the device.Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page, FortiCloud SSO login is enabled upon registration. To prevent being affected by this vulnerability on vulnerableversions, please turn off the FortiCloud login feature (if enabled) temporarily untilupgrading to a non-affected version.To turn off FortiCloud login, go to System -> Settings -> Switch"Allow administrative login using FortiCloud SSO" to Off. Or type thefollowing command in the CLI:config system global set admin-forticloud-sso-login disableend
Revised on 2025-12-09 00:00:00
CVSSv3 Score: 6.3
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS, FortiProxy, FortiPAM and FortiSRA may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration).
Revised on 2025-12-09 00:00:00
CyberLabRSS