Skip to main content

Fortinet

Vendor security scorecard – 87 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 397
87
CVEs
9
Critical
23
High
3
KEV
5
PoC
32
Unpatched C/H
0.0%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
9
HIGH
23
MEDIUM
49
LOW
6

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-21643 A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized SQL commands. CRITICAL 9.8 0.0% 124
KEV PoC No patch
CVE-2026-35616 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). CRITICAL 9.8 0.0% 124
KEV PoC No patch
CVE-2026-24858 Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8) that allows unauthenticated remote attackers to gain administrative access through an alternate authentication path. With EPSS 2.8% but KEV listing confirming active exploitation, this vulnerability threatens the security management infrastructure that organizations rely on to protect their networks. CRITICAL 9.8 2.8% 112
KEV No patch
CVE-2026-39808 OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics). CRITICAL 9.8 0.3% 74
PoC No patch
CVE-2026-39813 Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112. CRITICAL 9.8 0.1% 74
PoC No patch
CVE-2026-25089 Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections. CRITICAL 9.8 2.0% 51
PoC No patch
CVE-2026-26083 Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge. CRITICAL 9.8 0.0% 49
No patch
CVE-2026-44277 Critical unauthenticated access control bypass in Fortinet FortiAuthenticator versions 6.5.0-6.5.6, 6.6.0-6.6.8, 8.0.0, and 8.0.2 enables remote code execution without authentication. The CVSS score of 9.8 with AV:N/AC:L/PR:N/UI:N indicates trivial remote exploitation against default configurations. While the vendor advisory (FG-IR-26-128) confirms this vulnerability, the incomplete description placeholder ('<insert attack vector here>') suggests the advisory may contain additional details not yet published in CVE records. No public exploit code or active exploitation confirmed at time of analysis, though the authentication bypass nature and maximum CVSS scores make this a priority patching target for organizations running FortiAuthenticator. CRITICAL 9.8 0.0% 49
No patch
CVE-2025-52436 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH] HIGH 8.8 0.2% 44
No patch
CVE-2026-39815 SQL injection in Fortinet FortiDDoS-F 7.2.1-7.2.2 allows authenticated remote attackers to execute unauthorized code or commands with high impact to confidentiality, integrity, and availability. The vulnerability resides in the web management interface and requires low attack complexity with no user interaction. No public exploit identified at time of analysis, with EPSS data not yet available for this recently disclosed CVE. HIGH 8.8 0.1% 44
No patch
CVE-2025-53844 Remote code execution in Fortinet FortiOS 7.2.0-7.2.11, 7.4.0-7.4.8, and 7.6.0-7.6.3 enables authenticated attackers to execute arbitrary code via malformed network packets. The out-of-bounds write vulnerability (CWE-787) affects FortiOS firewall appliances and requires only low-privilege credentials to exploit over the network. Fortinet published advisory FG-IR-26-123 confirming the vulnerability. No CISA KEV listing or public exploit code identified at time of analysis, though the straightforward network attack vector (AV:N/AC:L) suggests moderate weaponization potential once details emerge. HIGH 8.8 0.0% 44
No patch
CVE-2026-22627 vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 versions up to 1.0.1 is affected by classic buffer overflow (CVSS 8.8). HIGH 8.8 0.0% 44
No patch
CVE-2025-64157 A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. [CVSS 6.7 MEDIUM] MEDIUM 6.7 0.0% 44
No patch
CVE-2026-59835 Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. HIGH 8.6 0.4% 43
No patch
CVE-2026-59841 Privilege escalation in Fortinet FortiSIEM Windows Agent 7.4.0 through 7.4.1 stems from an improper restriction of the agent's communication channel (CWE-923), letting an adjacent-network attacker interact with an endpoint that should be limited to trusted parties and thereby gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw was disclosed by Fortinet PSIRT (FG-IR-26-155) and carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is gated by high attack complexity, which materially reduces real-world likelihood despite the unauthenticated vector. HIGH 7.5 0.1% 43
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy