Fortinet Releases Critical Security Updates to Address Multiple Vulnerabilities
On March 10, 2026, Fortinet issued a comprehensive security advisory detailing eleven vulnerabilities across its core enterprise products, including FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox. These vulnerabilities encompass authentication bypasses, buffer overflows, OS command injections, and SQL injections, several of which could enable remote attackers to execute arbitrary commands or escalate privileges on affected systems.
High-Severity Vulnerabilities Patched
Two vulnerabilities have been classified as high severity due to their potential impact on unpatched systems:
– CVE-2026-22627 (FG-IR-26-086): This classic buffer overflow (CWE-120) exists in the LLDP OUI field of FortiSwitchAXFixed versions 1.0.0 and 1.0.1. Such vulnerabilities can allow attackers to overwrite adjacent memory, potentially leading to arbitrary code execution on the affected device.
– CVE-2025-54820 (FG-IR-26-098): A stack-based buffer overflow (CWE-121) in the FortiManager fgtupdates service affects versions 7.4.0 through 7.4.2 and 7.2.9 through 7.2.10. Exploiting this flaw could enable remote code execution via a crafted update request, posing a critical risk to organizations utilizing centralized network management infrastructure.
Authentication and Multi-Factor Authentication (MFA) Bypass Vulnerabilities
Three vulnerabilities targeting authentication mechanisms in FortiManager and FortiAnalyzer have been identified, posing significant access control risks:
– CVE-2026-22629 (FG-IR-26-079): This issue involves improper restriction of excessive authentication attempts (CWE-307), introducing an authentication lockout bypass through a race condition. Affected versions include FortiAnalyzer 7.6.0–7.6.4, FortiAnalyzer Cloud, FortiManager 7.6.0–7.6.4, and FortiManager Cloud. Exploiting this flaw could allow an attacker to brute-force credentials without triggering account lockouts.
– CVE-2026-22572 (FG-IR-26-090): An authentication bypass using an alternate path or channel (CWE-288) exists in the GUI of FortiAnalyzer and FortiManager versions 7.6.0–7.6.3, along with corresponding Cloud versions. This vulnerability allows an attacker to bypass multi-factor authentication entirely, significantly weakening administrative access defenses.
– CVE-2025-68482 (FG-IR-26-078): This flaw involves improper TLS certificate validation (CWE-295) during initial SSO authentication in the FortiManager GUI, affecting FortiAnalyzer and FortiManager 7.6.0–7.6.4. A remote attacker could intercept or manipulate the authentication process through a man-in-the-middle attack.
Command Injection and Privilege Escalation Vulnerabilities
Additional vulnerabilities have been identified that could lead to command injection and privilege escalation:
– CVE-2026-25836 (FG-IR-26-096): An OS command injection vulnerability (CWE-78) in the vmimages update feature of FortiSandbox Cloud 5.0.4 could allow an authenticated attacker to execute arbitrary operating system commands through the GUI, leading to full system compromise.
– CVE-2025-48418 (FG-IR-26-081): This issue exposes an undocumented CLI feature (CWE-1242) in FortiManager and FortiAnalyzer, affecting versions 7.6.0–7.6.3 and associated Cloud platforms. A remote attacker with existing access could exploit this hidden command to escalate privileges beyond their authorized level.
– CVE-2026-22628 (FG-IR-26-085): An improper access control flaw (CWE-284) in FortiSwitchAXFixed 1.0.0 and 1.0.1 allows an authenticated admin user to bypass shell command restrictions through SSH local configuration overrides.
Mitigation and Recommendations
Fortinet strongly advises all users to apply the latest patches immediately to mitigate these vulnerabilities. Administrators should review the specific advisories for each product to understand the affected versions and implement the recommended updates. Additionally, organizations should assess their authentication mechanisms, especially those involving SSO and MFA, to ensure they are not susceptible to the identified bypasses.
Given the critical nature of these vulnerabilities, prompt action is essential to protect enterprise networks from potential exploitation.
