PSIRT Advisories

1. TACACS+ authentication bypass

   A missing authentication for critical function vulnerability [CWE-306] in FortiOS, FortiProxy, and FortiSwitchManager TACACS+ configured to use a remote TACACS+ server for authentication, that has itself been configured to use ASCII authentication may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass. Revised on 2025-05-28 00:00:00

2. Multiple format string vulnerabilities

   A use of externally-controlled format string vulnerability [CWE-134] in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb may allow a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands. Revised on 2025-05-14 00:00:00

3. Buffer over-read in FGFM

   A buffer over-read vulnerability [CWE-126] in FortiOS may allow a remote unauthenticated attacker to crash the FGFM daemon via a specially crafted request, under rare conditions that are outside of the attacker's control. Revised on 2025-05-13 00:00:00

4. Code Execution due to Node.JS Environment Variable

   An improper isolation or compartmentalization vulnerability [CWE-653] in FortiClient MacOS and FortiVoiceUC desktop application may allow an authenticated attacker to inject code via Electron environment variables. Revised on 2025-05-13 00:00:00

5. Denial of Service in Security Fabric Root

   An integer overflow or wraparound vulnerability [CWE-190] in FortiOS Security Fabric may allow a remote unauthenticated attacker to crash the csfd daemon via a specially crafted request. Revised on 2025-05-13 00:00:00

6. Index of FCT installation directory publicly accessible

   An Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability [CWE-497] in FortiClientWindows may allow an unauthorized remote attacker to view application information via navigation to a hosted webpage, if Windows is configured to accept incoming connections to port 8053 (non-default setup) Revised on 2025-05-13 00:00:00

7. Insertion of sensitive information into system log

   An insertion of sensitive information into log file vulnerability [CWE-532] in FortiPortal may allow an authenticated attacker with at least read-only admin permissions to view encrypted secrets via the FortiPortal System Log. Revised on 2025-05-13 00:00:00

8. Local privilege escalation in XPC services

   An Incorrect Authorization vulnerability [CWE-863] in FortiClient Mac may allow a local attacker to escalate privileges via crafted XPC messages. Revised on 2025-05-13 00:00:00

9. OS command injection

   An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in FortiManager, FortiAnalyzer & FortiAnalyzer-BigData may allow a local attacker with low privileges to execute unauthorized code via specifically crafted arguments to a CLI command Revised on 2025-05-13 00:00:00

10. OpenSSH Terrapin attack (CVE-2023-48795)

    CVE-2023-48795The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. Revised on 2025-05-13 00:00:00

11. OpenSSH regreSSHion Attack (CVE-2024-6387)

    CVE-2024-6387A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This could lead to remote code execution with root privileges. Revised on 2025-05-13 00:00:00

12. Path traversal in upload message

    A Relative Path Traversal vulnerability [CWE-23] in FortiClientEMS may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upload requests. Revised on 2025-05-13 00:00:00

13. Pre-authentication Denial of Service attack in OpenSSH - CVE-2025-26466

    CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. Revised on 2025-05-13 00:00:00

14. Stack-based buffer overflow vulnerability in API

    A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.Fortinet has observed this to be exploited in the wild on FortiVoice.The operations performed by the Threat Actor in the case we observed were part or all of the below:Scan the device networkErase system crashlogsEnable fcgi debugging to log credentials from the system or SSH login attemptsSee IoCs below for more information Revised on 2025-05-13 00:00:00

15. Unauthorized modification of global threat feeds

    A missing authorization [CWE-862] vulnerability in FortiManager may allow an authenticated attacker to overwrite global threat feeds via crafted update requests. Revised on 2025-05-13 00:00:00

16. Integer Overflow in ipsec ike

    An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiOS and FortiSASE FortiOS tenant IPsec IKEv1 service may allow an authenticated attacker to crash the IPsec tunnel via crafted requests, resulting in potential denial of service. Revised on 2025-05-07 00:00:00

17. Multiple Reflected and Stored Cross-Site Scripting

    Multiple Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilities [CWE-79] in FortiSandbox  may allow an authenticated attacker to perform cross-site scripting attack via crafted HTTP requests. Revised on 2025-05-07 00:00:00

18. OS command injection

    An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. Revised on 2025-05-07 00:00:00

19. Os command injection on vm download feature

    An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. Revised on 2025-05-07 00:00:00

20. Readonly user could execute sensitive operations

    A client-side enforcement of server-side security vulnerability [CWE-602] in FortiSandbox may allow an authenticated attacker with at least read-only permission to download or upload configuration. Revised on 2025-05-07 00:00:00