PSIRT Advisories

1. Stack buffer overflow in CAPWAP daemon

   CVSSv3 Score: 6.9

   A stack-based overflow vulnerability [CWE-124] in FortiOS CAPWAP daemon may allow a remote unauthenticated attacker on an adjacent network to achieve arbitrary code execution via sending specially crafted packets. Note that in the default configuration, the attacker must be in control of an authorized FortiAP for the attack to succeed and have access to the same local IP subnet. Additionally, successful exploitation would require defeating stack protection and ASLR.

   Revised on 2025-11-21 00:00:00

2. Stack buffer overflow in CAPWAP daemon

   CVSSv3 Score: 6.9

   A stack-based overflow vulnerability [CWE-124] in FortiOS and FortiSwitchManager CAPWAP daemon may allow a remote authenticated attacker to execute arbitrary code or command as a low privileged user via specially crafted packets.Successful exploitation would require a large amount of effort in preparation because of stack protection and ASLR. Additionally, attacker must be able to pose as an authorized FortiAP or FortiExtender.

   Revised on 2025-11-21 00:00:00

3. Arbitrary memory write via FortIPS driver

   CVSSv3 Score: 7.1

   An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] in FortiClient Windows may allow an authenticated local user to execute unauthorized code via fortips driver. Success of the attack would require bypassing the Windows memory protections such as Heap integrity and HSP. In addition, it requires a valid and running VPN IPSec connection.

   Revised on 2025-11-18 00:00:00

4. Authenticated CLI Commands Buffer Overflow

   CVSSv3 Score: 6.3

   A buffer overflow vulnerability [CWE-120] in FortiExtender json_cli may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands.

   Revised on 2025-11-18 00:00:00

5. Buffer Overflow via fortips driver

   CVSSv3 Score: 7.1

   A Heap-based Buffer Overflow vulnerability [CWE-122] in FortiClient Windows may allow an authenticated local IPSec user to execute arbitrary code or commands via "fortips_74.sys" driver. The attacker would need to bypass the Windows heap integrity protections.

   Revised on 2025-11-18 00:00:00

6. CRLF Header Injection in webmail user GUI

   CVSSv3 Score: 3.9

   A CRLF Header Injection vulnerability [CWE-93] in FortiMail user GUI may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link

   Revised on 2025-11-18 00:00:00

7. Cleartext credentials in diagnose output

   CVSSv3 Score: 3.8

   A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in FortiPAM may allow an authenticated attacker with read-write admin privileges to the CLI to obtain other administrators' credentials via diagnose commands.

   Revised on 2025-11-18 00:00:00

8. Credential leakage through debug commands

   CVSSv3 Score: 5.2

   An insufficiently protected credentials vulnerability [CWE-522] in FortiExtender may allow an authenticated user to obtain administrator credentials via debug log commands.

   Revised on 2025-11-18 00:00:00

9. File scan result bypass

   CVSSv3 Score: 5.0

   An Improper Isolation or Compartmentalization vulnerability [CWE-653] in FortiSandbox may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.

   Revised on 2025-11-18 00:00:00

10. Information disclosure through debug features

    CVSSv3 Score: 4.9

    An active debug code vulnerability [CWE-489] in FortiClientWindows may allow a local attacker to run the application step by step and retrieve the saved VPN user password

    Revised on 2025-11-18 00:00:00

11. Invocation of Process Using Visible Sensitive Information in FortiADC

    CVSSv3 Score: 3.9

    An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiADC Logs may allow an admin with read-only permission to get the external resources password via the logs of the product.

    Revised on 2025-11-18 00:00:00

12. Multiple OS command injection in API and CLI

    CVSSv3 Score: 6.7

    An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.Fortinet has observed this to be exploited in the wild.FortiAppSec Cloud is NOT impacted by this vulnerability.

    Revised on 2025-11-18 00:00:00

13. Out-of-bounds write in multiple endpoints

    CVSSv3 Score: 6.3

    An Out-of-bounds Write vulnerability [CWE-787] in FortiADC may allow an authenticated attacker to execute arbitrary code via specially crafted HTTP requests.

    Revised on 2025-11-18 00:00:00

14. SQL injections in voice and administrative interface

    CVSSv3 Score: 7.7

    An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiVoice may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.

    Revised on 2025-11-18 00:00:00

15. Trusted hosts bypass via SSH

    CVSSv3 Score: 1.8

    An Improper Privilege Management vulnerability [CWE-269] in FortiOS, FortiProxy and FortiPAM may allow an authenticated administrator to bypass the trusted host policy via crafted CLI command.

    Revised on 2025-11-18 00:00:00

16. Use of hardcoded password for the redis service

    CVSSv3 Score: 4.8

    A use of hard-coded credentials vulnerability [CWE-798] in the internal redis services in FortiWeb may allow an authenticated attacker with shell access to the device to connect to any running redis service and access its data

    Revised on 2025-11-18 00:00:00

17. XSS in default error page

    CVSSv3 Score: 4.2

    An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability [CWE-80] in FortiADC virtual server's default error page may allow an unauthenticated attacker to execute malicious code via crafted URL.

    Revised on 2025-11-18 00:00:00

18. Path confusion vulnerability in GUI

    CVSSv3 Score: 9.4

    A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.Fortinet has observed this to be exploited in the wildFortiAppSec Cloud is NOT impacted by this vulnerability.

    Revised on 2025-11-14 00:00:00

19. Heap-based buffer overflow in cw_stad daemon

    CVSSv3 Score: 4.0

    A heap-based buffer overflow vulnerability [CWE-122] in FortiOS cw_stad daemon may allow an authenticated attacker to execute arbitrary code or commands via specifically crafted requests.

    Revised on 2025-11-03 00:00:00

20. Pre-authentication Denial of Service attack in OpenSSH - CVE-2025-26466

    CVSSv3 Score: 5.9

    CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

    Revised on 2025-11-03 00:00:00

21. LDAP Clear-text credentials retrievable with IP modification

    CVSSv3 Score: 2.1

    An insufficiently protected credentials [CWE-522] vulnerability in FortiOS may allow a privileged authenticated attacker to retrieve LDAP credentials via modifying the LDAP server IP address in the FortiOS configuration to point to a malicious attacker-controlled server.

    Revised on 2025-10-21 00:00:00

22. Apache Tika CVE-2025-54988

    CVSSv3 Score: 8.0

    Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

    Revised on 2025-10-14 00:00:00

23. Authenticated Heap Overflow in SSL-VPN bookmarks

    CVSSv3 Score: 6.7

    An Heap-based Buffer Overflow vulnerability [CWE-122] in FortiOS, FortiPAM and FortiProxy RDP bookmark connection may allow an authenticated user to execute unauthorized code via crafted requests.

    Revised on 2025-10-14 00:00:00

24. Code injection in login window

    CVSSv3 Score: 5.5

    An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientMac may allow an unauthenticated attacker to execute arbitrary code on the victim's host via tricking the user into visiting a malicious website.

    Revised on 2025-10-14 00:00:00

25. DLL hijacking in online installer

    CVSSv3 Score: 6.0

    An Uncontrolled Search Path Element vulnerability [CWE-427] in FortiClient Windows may allow a local low privileged user to perform a DLL hijacking attack via placing a malicious DLL to the FortiClient Online Installer installation folder.

    Revised on 2025-10-14 00:00:00