Fortinet patches eleven security vulnerabilities in several products

Fortinet published eleven advisories for security vulnerabilities in various products during the second Tuesday of the month – commonly known as “Patch Tuesday” or simply Patchday, familiar from the Microsoft world. Two of these are considered critical vulnerabilities and one is highly risky.

A critical vulnerability exists in FortiAuthenticator due to insufficient access controls. It allows attackers to execute unauthorized code or commands with manipulated requests without prior authentication (CVE-2026-44277, CVSS 9.1, Risk “critical”). FortiAuthenticator 6.5.7, 6.6.9, and 8.0.3, as well as newer versions, correct this. With manipulated HTTP requests, malicious actors can execute unauthorized code or commands in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS Web UI due to a lack of authorization (CVE-2026-26083, CVSS 9.1, Risk “critical”).

In the FortiOS CAPWAP-Daemon, attackers who have control over authenticated FortiAP FortiExtender or FortiSwitches can gain execution privileges on the FortiGate devices. This is due to possible write accesses outside of intended memory boundaries. However, Fortinet does not explain how these can be provoked (CVE-2025-53844, CVSS 8.3, Risk “high”).

Fortinet: Medium-Severity Security Vulnerabilities

Fortinet also warns of further vulnerabilities. Sorted by severity, these are:

• OS command injection in CLI – FortiAP/FortiAP-W2 (CVE-2025-53870, CVSS 6.5, Risk “medium”)
• SQL command injection in administrative portal – FortiMail (CVE-2025-53681, CVSS 6.3, Risk “medium”)
• Command injection in CLI – FortiAP/FortiAP-W2 (CVE-2025-53680, CVSS 6.1, Risk “medium”)
• DoS due to unsafe function in signal handler – FortiAnalyzer, FortiManager (CVE-2025-67604, CVSS 5.2, Risk “medium”)
• User controlled SQL commands – FortiNDR (CVE-2026-25088, CVSS 5.1, Risk “medium”)
• OTP Disclosure via Exported TokenContentProvider – FortiTokenAndroid (CVE-2026-44279, CVSS 5.0, Risk “medium”)
• Arbitrary log file read in administrative interface – FortiDeceptor (CVE-2026-25690, CVSS 4.0, Risk “medium”)
• Hardcoded Encryption Key Used for VPN Saved Passwords – FortiClientWindows (CVE-2026-44278, CVSS 2.1, Risk “low”)

IT managers should check if they are using vulnerable Fortinet appliances and apply available updates promptly.

For the April “Patchday”, Fortinet had addressed 18 security vulnerabilities. The developers also classified some of these as critical risks. Since Fortinet is directly connected to networks, software vulnerabilities are a coveted target for criminals. In early April, for example, malicious actors attacked a critical security vulnerability in FortiClient EMS.

(dmk)