Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
AV:N for HTTP-based attack; AC:H for mandatory ASLR and stack-canary bypass; PR:H as privileged admin credentials are explicitly required per the description.
Primary rating from Vendor (fortinet).
CVSS VectorVendor: fortinet
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2 all versions, FortiPAM 1.8.0 through 1.8.2, FortiPAM 1.7 all versions, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.13, FortiProxy 7.2 all versions may allow a privileged authenticated attacker who can bypass stack protection and ASLR to execute arbitrary code or commands via crafted HTTP requests.
AnalysisAI
Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution for a privileged authenticated attacker capable of bypassing ASLR and stack canary protections via crafted HTTP requests. The CVSS temporal metric E:P confirms proof-of-concept exploit code exists, and RL:O confirms an official patch has been released by Fortinet (advisory FG-IR-26-148). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated attacker holding high-privilege (administrative) credentials on the targeted FortiOS, FortiPAM, FortiProxy, or FortiSASE instance - confirmed by CVSS PR:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.9 (Medium) is consistent with the vector AV:N/AC:H/PR:H, where high attack complexity and high privilege requirements each significantly discount the otherwise maximum CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with privileged administrative credentials to a FortiOS or FortiProxy management interface sends a sequence of crafted HTTP requests designed to overflow a stack-allocated buffer in the HTTP parsing subsystem. The attacker first defeats ASLR through a separate information-disclosure technique or heap-shaping primitive to predict stack addresses, then overwrites the return address to redirect execution to attacker-controlled shellcode or a ROP chain. … |
| Remediation | Apply the official vendor patch released by Fortinet as confirmed by CVSS temporal metric RL:O (Official Fix). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.
A double free in Fortinet FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0.0 through 1.0.3, 1.1.0 through 1.1.
A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10,
Authenticated remote code execution in Fortinet FortiOS, FortiProxy, and FortiPAM enables low-privileged users to trigge
A stack-based buffer overflow in Fortinet FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiWeb, Fo
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, Forti
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, Forti
A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attac
A double free vulnerability [CWE-415] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.
A security vulnerability in Fortinet FortiPAM 1.4.0 (CVSS 6.3) that allows attacker. Remediation should follow standard
Reflected or stored cross-site scripting in Fortinet FortiOS, FortiPAM, and FortiProxy web interfaces allows a remote un
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43703
GHSA-wxrh-6ch6-6hp4