Fortinet released a sweeping security advisory on March 10, 2026, addressing eleven vulnerabilities across its core enterprise products, including FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox.
The flaws range from authentication bypasses and buffer overflows to OS command injection and SQL injection, several of which could allow remote attackers to execute arbitrary commands or escalate privileges on affected systems.
Two vulnerabilities received a High severity rating and pose the most significant risk to unpatched environments.
CVE-2026-22627 (FG-IR-26-086) describes a Classic Buffer Overflow (CWE-120) in the LLDP OUI field of FortiSwitchAXFixed versions 1.0.0 and 1.0.1. Buffer overflow vulnerabilities of this type allow attackers to overwrite adjacent memory, potentially enabling arbitrary code execution on the affected device.
CVE-2025-54820 (FG-IR-26-098) identifies a Stack-based Buffer Overflow (CWE-121) in the FortiManager fgtupdates service. Affected versions include FortiManager 7.4.0 through 7.4.2 and 7.2.9 through 7.2.10. An attacker exploiting this flaw could potentially trigger remote code execution through a crafted update request, making it a critical concern for organizations running centralized network management infrastructure.
Authentication and MFA Bypass Vulnerabilities
Three separate vulnerabilities target authentication mechanisms across FortiManager and FortiAnalyzer, collectively creating significant access control risks.
CVE-2026-22629 (FG-IR-26-079) is an improper restriction of excessive authentication attempts (CWE-307) that introduces an authentication lockout bypass through a race condition. This affects FortiAnalyzer versions 7.6.0–7.6.4, FortiAnalyzer Cloud, FortiManager 7.6.0–7.6.4, and FortiManager Cloud. By exploiting the timing window in the lockout mechanism, an attacker could brute-force credentials without triggering account lockouts.
CVE-2026-22572 (FG-IR-26-090) represents a more serious authentication bypass using an alternate path or channel (CWE-288) in the GUI of FortiAnalyzer and FortiManager versions 7.6.0–7.6.3, along with corresponding Cloud versions. This flaw effectively allows an attacker to bypass multi-factor authentication entirely, which significantly weakens one of the most critical defensive layers for administrative access.
CVE-2025-68482 (FG-IR-26-078) involves improper TLS certificate validation (CWE-295) during initial SSO authentication in the FortiManager GUI, affecting FortiAnalyzer and FortiManager 7.6.0–7.6.4. A remote attacker could intercept or manipulate the authentication process through a man-in-the-middle attack.
Command Injection and Privilege Escalation
CVE-2026-25836 (FG-IR-26-096) is an OS Command Injection vulnerability (CWE-78) in the vmimages update feature of FortiSandbox Cloud 5.0.4. Successful exploitation could allow an authenticated attacker to execute arbitrary operating system commands through the GUI, leading to full system compromise.
CVE-2025-48418 (FG-IR-26-081) exposes an undocumented CLI feature (CWE-1242) in FortiManager and FortiAnalyzer, affecting versions 7.6.0–7.6.3 and associated Cloud platforms. A remote attacker with existing access could exploit this hidden command to escalate privileges beyond their authorized level.
CVE-2026-22628 (FG-IR-26-085) describes an Improper Access Control flaw (CWE-284) in FortiSwitchAXFixed 1.0.0 and 1.0.1, allowing an authenticated admin user to bypass shell command restrictions through SSH local configuration overrides.
The advisory also covers several other medium-rated issues. CVE-2025-68648 (FG-IR-26-092) is a format string vulnerability (CWE-134) in the fazsvcd component of FortiAnalyzer and FortiManager, exposed via the API.
CVE-2025-49784 (FG-IR-26-095) is an SQL Injection flaw (CWE-89) in the FortiAnalyzer JSON-RPC API, affecting versions 7.6.0–7.6.4 and FortiAnalyzer-BigData.
Finally, CVE-2025-53608 (FG-IR-26-091) is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the LDAP server option of FortiSandbox versions 4.4.6–5.0.2.
Mitigations
Organizations using affected Fortinet products should prioritize the following steps:
- Apply the patches released by Fortinet immediately, particularly for the two High-severity buffer overflow vulnerabilities
- Audit administrative access and review MFA configurations across FortiManager and FortiAnalyzer deployments
- Restrict CLI and SSH access to trusted administrator accounts only
- Monitor for unusual authentication patterns or privilege escalation activity in logs
- Review FortiSandbox Cloud environments for signs of command injection attempts
Fortinet has published the full technical advisories through its FortiGuard PSIRT portal, and administrators are urged to cross-reference installed versions against the affected version lists for each CVE.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
