Fortinet FortiOS/FortiSwitchManager Heap Buffer Overflow Enabling Remote Code Execution
Fortinet disclosed a critical heap-based buffer overflow (CWE-122) in the cw_acd daemon affecting FortiOS and FortiSwitchManager, which can allow remote, unauthenticated attackers to execute arbitrary code or commands via specially crafted network traffic. Impacted versions span multiple FortiOS branches (6.4 through 7.6), along with FortiSASE and FortiSwitchManager releases; Fortinet advised immediate upgrades (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+, 6.4.17+; FortiSwitchManager 7.2.7+ and 7.0.6+), and noted FortiSASE 25.2.b is remediated in 25.2.c. The issue was reported as discovered internally by Fortinet’s product security team, and public reporting indicated no CVE was initially listed at publication time.
Separately, Fortinet also disclosed a low-severity SSRF in FortiSandbox tracked as CVE-2025-67685 (FG-IR-25-783), where an authenticated, high-privilege user can craft GUI-driven HTTP requests to proxy traffic to internal plaintext endpoints (CWE-918). While this SSRF could enable internal service exposure or pivoting in segmented environments, it requires privileged access and was not reported as actively exploited; Fortinet recommended upgrading FortiSandbox (e.g., 5.0.5+ for 5.0.0–5.0.4) and migrating off legacy 4.x branches. For the FortiOS/FortiSwitchManager RCE, interim mitigations included removing fabric access from interfaces and restricting CAPWAP-CONTROL (UDP 5246–5249) to trusted sources via local-in policies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-25249 is published for Fortinet heap overflow flaw
The vulnerability was cataloged as CVE-2025-25249, describing a heap-based buffer overflow in FortiOS, FortiSASE, and FortiSwitchManager that can be triggered by specially crafted packets. Public CVE details stated that successful exploitation could allow unauthorized code or command execution on affected systems.
Fortinet discloses critical FortiOS and FortiSwitchManager vulnerability
On January 13, 2026, Fortinet publicly disclosed the critical vulnerability affecting multiple FortiOS branches, certain FortiSASE releases, and multiple FortiSwitchManager versions. The company published fixed versions and urged customers to patch immediately because exposed fabric interfaces could lead to full system compromise.
Fortinet internally discovers heap overflow in cw_acd daemon
Fortinet Product Security Team member Gwendal Guégniaud identified a heap-based buffer overflow in the cw_acd daemon affecting FortiOS and FortiSwitchManager. The flaw could be triggered by specially crafted network packets to enable remote code or command execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fortinet Patches Critical FortiSandbox and FortiManager Command-Execution Flaws
Fortinet issued multiple 2026 security advisories covering a broad set of vulnerabilities across **FortiSandbox, FortiManager, FortiAnalyzer, FortiOS, FortiAP, FortiProxy, FortiPAM, FortiSwitchManager, FortiSwitchAXFixed,** and related cloud offerings. The most severe flaws affect **FortiSandbox**, including `CVE-2026-39808`, an unauthenticated OS command injection bug that could allow arbitrary command execution and full device compromise, `CVE-2026-39813`, a path traversal issue in the JRPC API that may enable authentication bypass and privilege escalation, and `CVE-2026-26083`, a missing authorization flaw that can expose restricted functionality and sensitive sandbox analysis data through the GUI without authentication. National cyber authorities in Canada and Belgium separately warned organizations to apply Fortinet’s fixes immediately. Fortinet also disclosed high-risk issues in management platforms, notably `CVE-2025-54820`, a stack-based buffer overflow in the **FortiManager** `fgtupdates` service that can let remote unauthenticated attackers execute unauthorized commands when the service is enabled, as well as a heap-based buffer overflow affecting **FortiAnalyzer Cloud** and **FortiManager Cloud**. Additional weaknesses across the product line include authentication and MFA bypasses, SQL injection, API denial of service, CLI command injection in FortiAP, CAPWAP daemon memory corruption in FortiOS, stored and reflected XSS, improper access control, and credential exposure. Fortinet advised customers to upgrade to fixed releases, disable exposed services such as `fgtupdates` where possible, restrict CLI, SSH, and API access, and monitor logs for anomalous authentication, privilege escalation, and endpoint activity.
Jun 18, 2026
Fortinet Patches Multiple Vulnerabilities Across FortiClient and Other Products
Fortinet released security updates addressing **22 vulnerabilities** across multiple products, including **FortiWeb**, **FortiSwitchAX**, **FortiManager**, and **FortiClient (Linux)**. The issues span multiple bug classes (e.g., **authentication bypass**, **heap-based buffer overflow**, and **cleartext storage of sensitive information**) and could enable outcomes such as security bypass, data tampering, denial-of-service, privilege escalation, information disclosure, and in some cases **unauthorized code/command execution**. Belgium’s CCB urged organizations to patch promptly and noted Fortinet reported **no evidence of active exploitation** at the time of the advisory. One of the patched flaws, **CVE-2026-24018** (CVSS **7.8**), was detailed by the **Zero Day Initiative (ZDI-26-186)** as a **local privilege escalation** vulnerability in *FortiClient*. ZDI reported the flaw stems from handling of certain shared objects: a local attacker with the ability to run low-privileged code can create a **symbolic link** to coerce a service into loading an arbitrary shared object, enabling execution of attacker-controlled code as **root**. Fortinet issued a fix and published vendor guidance under **FG-IR-26-083**.
Mar 21, 2026
Fortinet Patches Critical RCE Flaws in FortiAuthenticator and FortiSandbox
Fortinet released fixes for two **critical** vulnerabilities that could let remote, unauthenticated attackers run unauthorized code or commands on exposed systems. The first, **`CVE-2026-44277`**, is an improper access control flaw in **FortiAuthenticator** with a **CVSS 9.1** rating; it affects versions **8.0.0**, **8.0.2**, **6.6.0-6.6.8**, and **6.5.0-6.5.6**, and was patched in **8.0.3**, **6.6.9**, and **6.5.7**. Fortinet said the issue stems from insufficient authorization checks on API endpoints and could allow unauthorized API access, privilege escalation, and command execution, while **FortiAuthenticator Cloud is not affected**. Fortinet also disclosed **`CVE-2026-26083`**, a **CVSS 9.1** missing-authorization flaw in the **FortiSandbox** Web UI that impacts **FortiSandbox**, **FortiSandbox Cloud**, and **FortiSandbox PaaS**, potentially enabling arbitrary code execution across on-premises and cloud deployments. Canada’s Cyber Centre warned that the advisories span multiple Fortinet products and urged administrators to review Fortinet PSIRT notices and apply updates promptly. Public reporting said Fortinet had not observed either flaw being exploited in the wild at disclosure, but the breadth of affected security infrastructure and Fortinet’s history of high-value exploitation have increased urgency around patching exposed appliances.
May 16, 2026