Skip to main content

FortiOS EUVDEUVD-2026-43703

| CVE-2026-59837 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-07-14 fortinet GHSA-wxrh-6ch6-6hp4
6.6
CVSS 3.1 · Vendor: fortinet
Share

Severity by source

Vendor (fortinet) PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.6 MEDIUM

AV:N for HTTP-based attack; AC:H for mandatory ASLR and stack-canary bypass; PR:H as privileged admin credentials are explicitly required per the description.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (fortinet).

CVSS VectorVendor: fortinet

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 16:22 NVD
5.9 (MEDIUM) 6.6 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 16:01 vuln.today
CVE Published
Jul 14, 2026 - 15:06 cve.org
MEDIUM 5.9

DescriptionCVE.org

A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2 all versions, FortiPAM 1.8.0 through 1.8.2, FortiPAM 1.7 all versions, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.13, FortiProxy 7.2 all versions may allow a privileged authenticated attacker who can bypass stack protection and ASLR to execute arbitrary code or commands via crafted HTTP requests.

AnalysisAI

Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution for a privileged authenticated attacker capable of bypassing ASLR and stack canary protections via crafted HTTP requests. The CVSS temporal metric E:P confirms proof-of-concept exploit code exists, and RL:O confirms an official patch has been released by Fortinet (advisory FG-IR-26-148). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain privileged admin credentials
Delivery
Reach management HTTP interface over network
Exploit
Send crafted HTTP request to overflow stack buffer
Execution
Defeat stack canary and ASLR protections
Persist
Redirect execution via corrupted return address
Impact
Execute arbitrary code on appliance

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated attacker holding high-privilege (administrative) credentials on the targeted FortiOS, FortiPAM, FortiProxy, or FortiSASE instance - confirmed by CVSS PR:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.9 (Medium) is consistent with the vector AV:N/AC:H/PR:H, where high attack complexity and high privilege requirements each significantly discount the otherwise maximum CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with privileged administrative credentials to a FortiOS or FortiProxy management interface sends a sequence of crafted HTTP requests designed to overflow a stack-allocated buffer in the HTTP parsing subsystem. The attacker first defeats ASLR through a separate information-disclosure technique or heap-shaping primitive to predict stack addresses, then overwrites the return address to redirect execution to attacker-controlled shellcode or a ROP chain. …
Remediation Apply the official vendor patch released by Fortinet as confirmed by CVSS temporal metric RL:O (Official Fix). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2024-23113 CRITICAL
9.8 Feb 15

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.

CVE-2023-41678 HIGH
8.8 Dec 13

A double free in Fortinet FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0.0 through 1.0.3, 1.1.0 through 1.1.

CVE-2023-36639 HIGH
8.8 Dec 13

A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10,

CVE-2025-57740 HIGH
7.5 Oct 14

Authenticated remote code execution in Fortinet FortiOS, FortiProxy, and FortiPAM enables low-privileged users to trigge

CVE-2024-26010 HIGH
7.5 Jun 11

A stack-based buffer overflow in Fortinet FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiWeb, Fo

CVE-2023-45583 HIGH
7.2 May 14

A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, Forti

CVE-2023-36640 MEDIUM
6.7 May 14

A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, Forti

CVE-2023-40721 MEDIUM
6.7 Feb 11

A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attac

CVE-2023-45584 MEDIUM
6.6 Aug 12

A double free vulnerability [CWE-415] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.

CVE-2025-22256 MEDIUM
6.3 Jun 10

A security vulnerability in Fortinet FortiPAM 1.4.0 (CVSS 6.3) that allows attacker. Remediation should follow standard

CVE-2026-23573 MEDIUM
6.1 Jul 14

Reflected or stored cross-site scripting in Fortinet FortiOS, FortiPAM, and FortiProxy web interfaces allows a remote un

Share

EUVD-2026-43703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy