Critical Vulnerability in FortiOS and FortiSwitchManager Allows Remote Code Execution
Fortinet has recently identified a critical security flaw within its FortiOS and FortiSwitchManager products. This vulnerability, a heap-based buffer overflow in the cw_acd daemon, enables remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted network requests. Such an exploit could lead to full system compromise without any prior authentication, posing a significant risk to organizations utilizing these products.
Discovery and Disclosure
The vulnerability was discovered internally by Gwendal Guégniaud of the Fortinet Product Security Team and publicly disclosed on January 13, 2026. Although a Common Vulnerabilities and Exposures (CVE) identifier has not yet been assigned, Fortinet emphasizes the urgency of addressing this issue promptly.
Affected Products and Versions
The security flaw impacts multiple versions of FortiOS, FortiSASE, and FortiSwitchManager. Administrators are advised to verify their deployments and follow the recommended upgrade paths:
– FortiOS 7.6: Versions 7.6.0 through 7.6.3 should be upgraded to 7.6.4 or later.
– FortiOS 7.4: Versions 7.4.0 through 7.4.8 should be upgraded to 7.4.9 or later.
– FortiOS 7.2: Versions 7.2.0 through 7.2.11 should be upgraded to 7.2.12 or later.
– FortiOS 7.0: Versions 7.0.0 through 7.0.17 should be upgraded to 7.0.18 or later.
– FortiOS 6.4: Versions 6.4.0 through 6.4.16 should be upgraded to 6.4.17 or later.
– FortiSASE 25.2: Version 25.2.b has been remediated in 25.2.c.
– FortiSASE 25.1.a: Version 25.1.a.2 should migrate to a fixed release.
– FortiSASE 24.4–22: These versions are not affected.
– FortiSwitchManager 7.2: Versions 7.2.0 through 7.2.6 should be upgraded to 7.2.7 or later.
– FortiSwitchManager 7.0: Versions 7.0.0 through 7.0.5 should be upgraded to 7.0.6 or later.
Mitigation Strategies
In scenarios where immediate patching is not feasible, Fortinet recommends the following mitigations:
1. Disable Fabric Access on Interfaces: This can be achieved by modifying the system interface settings to remove ‘fabric’ access.
2. Block CAPWAP-CONTROL Traffic: Implement local-in policies to block UDP ports 5246-5249, allowing only trusted sources.
These measures can help reduce the attack surface until the systems are fully updated.
Recommendations
Fortinet advises organizations to prioritize upgrading to the latest versions to mitigate the risk associated with this vulnerability. Additionally, monitoring system logs for unusual activity related to the cw_acd daemon and segmenting management interfaces can further enhance security. This incident underscores the critical importance of proactive patch management and vigilant network monitoring in maintaining robust cybersecurity defenses.
