40
CVEs
5
Critical
14
High
2
KEV
2
PoC
19
Unpatched C/H
0.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
5
HIGH
14
MEDIUM
17
LOW
4
Monthly CVE Trend
Affected Products (30)
Fortios
41
Fortimanager
27
Fortiweb
26
Command Injection
21
Fortianalyzer
20
Fortiproxy
18
Fortimanager Cloud
16
Forticlient
11
Fortivoice
10
Fortianalyzer Cloud
10
Stack Overflow
10
Fortirecorder
8
Windows
8
Fortisase
6
Fortisandbox
5
Fortimail
5
Forticlientems
5
Fortipam
5
Fortisiem
4
Fortiportal
4
Fortiadc
4
Fortiswitchmanager
3
Fortideceptor
3
Integer Overflow
3
Heap Overflow
2
Ldap
2
Fortiisolator
2
Fortindr
2
Fortianalyzer Big Data
2
Forticamera Firmware
2
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-35616 | Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | CRITICAL | 9.8 | 0.0% | 124 |
KEV
PoC
No patch
|
| CVE-2026-24858 | Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8) that allows unauthenticated remote attackers to gain administrative access through an alternate authentication path. With EPSS 2.8% but KEV listing confirming active exploitation, this vulnerability threatens the security management infrastructure that organizations rely on to protect their networks. | CRITICAL | 9.8 | 2.8% | 112 |
KEV
No patch
|
| CVE-2025-64155 | Fortinet FortiSIEM (6.7.0 through 7.4.0) has OS command injection via crafted TCP requests. As a SIEM, compromise gives attackers access to all security logs and the ability to suppress alerts. PoC available. | CRITICAL | 9.8 | 0.0% | 69 |
PoC
No patch
|
| CVE-2026-21643 | A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized SQL commands. | CRITICAL | 9.8 | 0.0% | 54 |
No patch
|
| CVE-2025-47855 | Fortinet FortiFone 7.0.0-7.0.1 and 3.0.13-3.0.23 allows unauthenticated attackers to download the complete device configuration via crafted HTTP/HTTPS requests. Configuration files contain credentials and network settings. | CRITICAL | 9.8 | 1.2% | 50 |
No patch
|
| CVE-2025-52436 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2026-22627 | vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 versions up to 1.0.1 is affected by classic buffer overflow (CVSS 8.8). | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-64157 | A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. [CVSS 6.7 MEDIUM] | MEDIUM | 6.7 | 0.0% | 44 |
No patch
|
| CVE-2026-24017 | Fortinet FortiWeb versions 7.0 through 8.0.2 contain an improper rate-limiting flaw that allows unauthenticated remote attackers to bypass authentication attempt restrictions through crafted requests. This vulnerability enables attackers to conduct brute-force password attacks against FortiWeb instances with reduced constraints, with success dependent on attacker resources and target password complexity. No patch is currently available for affected versions. | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-54820 | A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.10, FortiManager 6.4 all versions may allow a remote unauthenticated attacker to execute unauthorized commands via crafted requests, if the service is enabled. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.0% | 41 |
No patch
|
| CVE-2026-22153 | Fortios versions up to 7.6.4 contains a vulnerability that allows attackers to an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FS (CVSS 8.1). | HIGH | 8.1 | 0.0% | 41 |
No patch
|
| CVE-2025-25249 | A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.0% | 41 |
No patch
|
| CVE-2025-55018 | An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header [CVSS 5.8 MEDIUM] | MEDIUM | 5.8 | 0.1% | 39 |
No patch
|
| CVE-2026-24018 | following vulnerability in Fortinet FortiClientLinux 7.4.0 versions up to 7.4.4 contains a vulnerability that allows attackers to a local and unprivileged user to escalate their privileges to root (CVSS 7.8). | HIGH | 7.8 | 0.0% | 39 |
No patch
|
| CVE-2026-25836 | Fortinet FortiSandbox Cloud 5.0.4 contains an OS command injection vulnerability that allows privileged super-admin users with CLI access to execute arbitrary code through malicious HTTP requests. The vulnerability requires high privileges and direct access but carries high impact including confidentiality, integrity, and availability compromise. No patch is currently available. | HIGH | 7.2 | 0.1% | 36 |
No patch
|