Fortinet closes brute-force and command injection flaws in FortiWeb & Co.

Although Fortinet doesn't call it Patchday, it's releasing several security updates for various products concurrently with the Patchday date. Highly critical flaws are found in FortiWeb, FortiManager, and FortiClientLinux, among others. Attackers can inject commands or launch brute-force attacks on access points.

The most severe security vulnerability affects FortiClientLinux. Due to a link tracking vulnerability, local users without extensive rights can escalate their privileges to root (CVE-2026-24018, CVSS 7.4, Risk “high”). Insufficient checking of the interaction frequency allows unauthenticated attackers to bypass the authentication rate limit of FortiWeb with manipulated requests (CVE-2026-24017, CVSS 7.3, Risk “high”). Versions FortiWeb 7.0.12, 7.2.12, 7.4.11, 7.6.6, and 8.0.3 or later versions correct the error. In FortiManager's fgtupdates service, a stack-based buffer overflow can occur when processing manipulated requests to the service by unauthenticated attackers from the network, allowing commands to be injected and executed (CVE-2025-54820, CVSS 7.0, Risk “high”). FortiManager 7.2.11 and 7.4.3, as well as newer versions, improve the vulnerability; those still on version 6.4 must update to newer versions. If the fgtupdates service is enabled, simply disabling it also helps.

Fortinet lists 15 additional security vulnerabilities:

• MFA Bypass in GUI, FortiAnalyzer (+Cloud), FortiManager (+Cloud) (CVE-2026-22572, CVSS 6.8, Risk “medium”)
• OS Command injection in FortiWeb API, FortiWeb (CVE-2025-66178, CVSS 6.7, Risk “medium”)
• Format string vulnerability in fazsvcd, FortiAnalyzer (+Cloud), FortiManager (+Cloud) (CVE-2025-68648, CVSS 6.5, Risk “medium”)
• Privilege escalation using undocumented CLI command, FortiAnalyzer (+Cloud), FortiManager (+Cloud) (CVE-2025-48418, CVSS 6.4, Risk “medium”)
• Lack of TLS Certificate Validation during initial SSO Authentication, FortiAnalyzer, FortiManager (CVE-2025-68482, CVSS 6.3, Risk “medium”)
• Arbitrary file deletion in administrative interface, FortiDeceptor (CVE-2026-25689, CVSS 6.0, Risk “medium”)
• Stack buffer overflow in API, FortiWeb (CVE-2026-30897, CVSS 5.9, Risk “medium”)
• Stack-based Buffer Overflow in API protection, FortiWeb (CVE-2026-24640, CVSS 5.9, Risk “medium”)
• SQL injection in jsonrpc api, FortiAnalyzer(+BigData) (CVE-2025-49784, CVSS 5.6, Risk “medium”)
• Protected hostname bypass, FortiWeb (CVE-2025-48840, CVSS 5.0, Risk “medium”)
• XSS in LDAP server option, FortiSandbox (CVE-2025-53608, CVSS 4.6, Risk “medium”)
• Reflected Cross Site Scripting (XSS) in error page, FortiSIEM (CVE-2026-25972, CVSS 4.1, Risk “low”)
• Insecure Exposure of Plaintext Passwords in Debug Logs, FortiMail, FortiRecorder, FortiVoice (CVE-2025-55717, CVSS 3.8, Risk “low”)
• Authentication Lockout Bypass via Race Condition, FortiAnalyzer (+Cloud), FortiManager (+Cloud) (CVE-2026-22629, CVSS 3.4, Risk “low”)
• Null Pointer Dereference in Anti-Defacement feature, FortiWeb (CVE-2026-24641, CVSS 2.5, Risk “low”)

FortiGate firewall breaches lead to compromised ADs

Meanwhile, SentinelOne has published analysis results on FortiGate firewall breaches. The IT researchers initially criticize that, as a recurring pattern, affected organizations do not log enough, which prevents investigations into the time and vulnerabilities used for intrusion. The period between intrusion into the firewall and compromise of further devices ranged from almost immediately to two months. Among other things, the analysts explain how attackers explore device configurations and create their own admin accounts, for example, with which they secure persistent access. Before further spreading within the network, there were only occasional logins to check if access was still maintained. SentinelOne sees this as typical behavior of initial access brokers who sell cracked access to third parties. These then moved machines into the AD and tried to gain further network access through them. However, the scans then triggered security alarms.

In another case, attackers also created a local admin on the compromised FortiGate firewall and read AD credentials from it. Within the following ten minutes, the attackers logged into several servers using the AD admin account and installed Remote Monitoring and Management tools (RMM). According to the report's authors, Pulseway and MeshAgent are legitimate admin tools, but they are frequently used by malicious actors. The attackers then installed malware downloaded from AWS cloud storage. With this, they created a volume shadow copy and transferred some data from it to the attackers' servers. These incidents show that the compromised firewall is indeed being misused for profound infiltration.

Anyone using Fortinet products should therefore install the available updates promptly. The vulnerabilities in the network products are highly popular among cybercriminals and are repeatedly attacked rapidly after becoming known.

(dmk)