Fortinet disclosed seven new security advisories on July 14, 2026, affecting FortiOS, FortiProxy, FortiPAM, and FortiSandbox. The flaws range from low-severity header injection bugs to medium-severity buffer overflows and a notably concerning unauthenticated VNC exposure in FortiSandbox.
While none carry a critical rating, several affect widely deployed enterprise firewall and proxy versions, making prompt patching a priority for security teams.
The advisories span core Fortinet product lines used in enterprise perimeter security: FortiOS (versions 7.0 through 8.0), FortiProxy (7.2 through 7.6), FortiPAM (1.4 through 1.9), and FortiSandbox (4.4 through 5.2).
Given how central these platforms are to network defense, unpatched instances pose a real risk, particularly when attacker-facing components such as SSL-VPN or captive portals are exposed.
| CVE | Vulnerability | Component | Access | Severity |
|---|---|---|---|---|
| CVE-2025-43892 | Buffer over-read (CWE-126) in authd and wad daemon | CLI | Authenticated | Medium |
| CVE-2025-62675 | HTTP response splitting via CRLF injection in Web Filter warning page | Others | Unauthenticated | Low |
| CVE-2025-62826 | HTTP response splitting via CRLF injection in captive portal auth form | Others | Unauthenticated | Low |
| CVE-2026-59839 | Path traversal (CWE-22) enabling root filesystem deletion via CLI | CLI | Authenticated | Medium |
| CVE-2026-23573 | Reflected XSS in SSL-VPN | SSL-VPN | Unauthenticated | Medium |
| CVE-2026-59837 | Stack-based buffer overflow (CWE-121) in log report generation | GUI | Authenticated | Medium |
| CVE-2026-59835 | Unauthenticated VNC exposed on all interfaces (CWE-668) | Others | Unauthenticated | Not disclosed |
Two flaws stand out for practical risk. CVE-2026-59839 (path traversal) is dangerous because an authenticated attacker with limited CLI access could potentially delete critical root filesystem files, causing denial of service or device instability.
CVE-2026-59835 in FortiSandbox is arguably the most urgent: exposing VNC without authentication on all network interfaces could allow an unauthenticated attacker to gain direct console access to the sandboxing appliance, a component often trusted to analyze malicious files in isolated environments.
The two CRLF injection bugs (FG-IR-26-152 and FG-IR-26-153) allow response splitting on the Web Filter warning page and captive portal login form.
While rated low severity, these could be chained with phishing or cache-poisoning techniques to manipulate what users see when interacting with FortiOS-managed network access points.
The reflected XSS in SSL-VPN (CVE-2026-23573) is unauthenticated and web-facing, meaning attackers could craft malicious links targeting users who access the SSL-VPN portal, a common entry point Fortinet devices have historically had exploited in real-world attacks.
Tips for Defenders
- Apply Fortinet’s official patches for FortiOS, FortiProxy, FortiPAM, and FortiSandbox immediately, prioritizing internet-facing SSL-VPN and captive portal deployments.
- Restrict CLI access to trusted administrators only, given two flaws require authenticated CLI access.
- Audit FortiSandbox network exposure and disable VNC access on interfaces where it isn’t explicitly required.
- Monitor Fortinet’s PSIRT advisories for updated CVSS scores and any confirmed in-the-wild exploitation.
Fortinet has a track record of these advisories preceding active exploitation attempts, so organizations running affected versions should treat this batch as a near-term patching priority rather than routine maintenance.
Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.

