Fortinet has disclosed a critical heap-based buffer overflow vulnerability (CWE-122) in the cw_acd daemon of FortiOS and FortiSwitchManager.
This flaw enables a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted requests over the network.
Organizations relying on Fortinet’s firewalls, secure access service edge (SASE) solutions, and switch management tools face high risk, especially in environments with exposed fabric interfaces.
Discovered internally by Fortinet Product Security Team member Gwendal Guégniaud, the vulnerability was published on January 13, 2026. While no CVE identifier has been assigned yet, Fortinet urges immediate patching due to the risk of full-system compromise without authentication.
Multiple FortiOS branches, FortiSASE releases, and FortiSwitchManager versions are impacted. Administrators should verify their deployments and follow the recommended upgrade paths using Fortinet’s upgrade tool.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.16 | Upgrade to 6.4.17 or above |
| FortiSASE 25.2 | 25.2.b | Already remediated in 25.2.c |
| FortiSASE 25.1.a | 25.1.a.2 | Migrate to fixed release |
| FortiSASE 24.4–22 | Not affected | N/A |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
Workarounds
In the absence of patches, Fortinet recommends two mitigations. First, disable “fabric” access on interfaces:
textconfig system interface
edit "port1"
set allowaccess ssh https # Remove 'fabric'
next
end
Second, block CAPWAP-CONTROL traffic (UDP ports 5246-5249) via local-in policies, allowing only trusted sources. Define custom services, address groups, and policies to permit from approved IPs while denying others.
Fortinet advises prioritizing upgrades, monitoring logs for anomalous cw_acd activity, and segmenting management interfaces. This vulnerability underscores the ongoing need for vigilant patch management in enterprise networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
