CyberSecurityNews

Fortinet Patches Seven Vulnerabilities Across FortiOS, FortiProxy, FortiPAM, and FortiSandbox


Fortinet disclosed seven new security advisories on July 14, 2026, affecting FortiOS, FortiProxy, FortiPAM, and FortiSandbox. The flaws range from low-severity header injection bugs to medium-severity buffer overflows and a notably concerning unauthenticated VNC exposure in FortiSandbox.

While none carry a critical rating, several affect widely deployed enterprise firewall and proxy versions, making prompt patching a priority for security teams.

The advisories span core Fortinet product lines used in enterprise perimeter security: FortiOS (versions 7.0 through 8.0), FortiProxy (7.2 through 7.6), FortiPAM (1.4 through 1.9), and FortiSandbox (4.4 through 5.2).

Given how central these platforms are to network defense, unpatched instances pose a real risk, particularly when attacker-facing components such as SSL-VPN or captive portals are exposed.

CVEVulnerabilityComponentAccessSeverity
CVE-2025-43892Buffer over-read (CWE-126) in authd and wad daemonCLIAuthenticatedMedium
CVE-2025-62675HTTP response splitting via CRLF injection in Web Filter warning pageOthersUnauthenticatedLow
CVE-2025-62826HTTP response splitting via CRLF injection in captive portal auth formOthersUnauthenticatedLow
CVE-2026-59839Path traversal (CWE-22) enabling root filesystem deletion via CLICLIAuthenticatedMedium
CVE-2026-23573Reflected XSS in SSL-VPNSSL-VPNUnauthenticatedMedium
CVE-2026-59837Stack-based buffer overflow (CWE-121) in log report generationGUIAuthenticatedMedium
CVE-2026-59835Unauthenticated VNC exposed on all interfaces (CWE-668)OthersUnauthenticatedNot disclosed

Two flaws stand out for practical risk. CVE-2026-59839 (path traversal) is dangerous because an authenticated attacker with limited CLI access could potentially delete critical root filesystem files, causing denial of service or device instability.

CVE-2026-59835 in FortiSandbox is arguably the most urgent: exposing VNC without authentication on all network interfaces could allow an unauthenticated attacker to gain direct console access to the sandboxing appliance, a component often trusted to analyze malicious files in isolated environments.

The two CRLF injection bugs (FG-IR-26-152 and FG-IR-26-153) allow response splitting on the Web Filter warning page and captive portal login form.

While rated low severity, these could be chained with phishing or cache-poisoning techniques to manipulate what users see when interacting with FortiOS-managed network access points.

The reflected XSS in SSL-VPN (CVE-2026-23573) is unauthenticated and web-facing, meaning attackers could craft malicious links targeting users who access the SSL-VPN portal, a common entry point Fortinet devices have historically had exploited in real-world attacks.

Tips for Defenders

  • Apply Fortinet’s official patches for FortiOS, FortiProxy, FortiPAM, and FortiSandbox immediately, prioritizing internet-facing SSL-VPN and captive portal deployments.
  • Restrict CLI access to trusted administrators only, given two flaws require authenticated CLI access.
  • Audit FortiSandbox network exposure and disable VNC access on interfaces where it isn’t explicitly required.
  • Monitor Fortinet’s PSIRT advisories for updated CVSS scores and any confirmed in-the-wild exploitation.

Fortinet has a track record of these advisories preceding active exploitation attempts, so organizations running affected versions should treat this batch as a near-term patching priority rather than routine maintenance.

Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.



Source link