Skip to main content

Fortinet

Vendor security scorecard – 134 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 709
134
CVEs
15
Critical
38
High
6
KEV
10
PoC
53
Unpatched C/H
0.0%
Patch Rate
1.8%
Avg EPSS

Severity Breakdown

CRITICAL
15
HIGH
38
MEDIUM
72
LOW
9

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2025-64446 Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative commands through crafted HTTP/HTTPS requests. CRITICAL 9.8 88.2% 222
KEV PoC No patch
CVE-2025-58034 Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized commands on the web application firewall. HIGH 7.2 50.7% 172
KEV PoC No patch
CVE-2026-21643 A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized SQL commands. CRITICAL 9.8 0.0% 124
KEV PoC No patch
CVE-2026-35616 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). CRITICAL 9.8 0.0% 124
KEV PoC No patch
CVE-2025-25256 An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 44.9% and no vendor patch available. CRITICAL 9.8 44.9% 114
PoC No patch
CVE-2026-24858 Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8) that allows unauthenticated remote attackers to gain administrative access through an alternate authentication path. With EPSS 2.8% but KEV listing confirming active exploitation, this vulnerability threatens the security management infrastructure that organizations rely on to protect their networks. CRITICAL 9.8 2.8% 112
KEV No patch
CVE-2025-59718 Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to defeat FortiCloud SSO login by submitting a crafted SAML response, due to improper verification of the response's cryptographic signature. The flaw is confirmed actively exploited (CISA KEV), with Arctic Wolf observing malicious SSO logins in the wild, and EPSS rates it at the 93rd percentile of likelihood. Combined with a 9.8 CVSS score and CWE-347 root cause, this is a top-priority patching target for any organization running affected Fortinet management planes. CRITICAL 9.8 9.5% 108
KEV No patch
CVE-2025-52970 A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 28.8%. HIGH 8.1 28.8% 89
PoC No patch
CVE-2026-39808 OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics). CRITICAL 9.8 0.3% 74
PoC No patch
CVE-2026-39813 Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112. CRITICAL 9.8 0.1% 74
PoC No patch
CVE-2025-64155 Fortinet FortiSIEM (6.7.0 through 7.4.0) has OS command injection via crafted TCP requests. As a SIEM, compromise gives attackers access to all security logs and the ability to suppress alerts. PoC available. CRITICAL 9.8 0.0% 69
PoC No patch
CVE-2026-25089 Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections. CRITICAL 9.8 2.0% 51
PoC No patch
CVE-2025-47855 Fortinet FortiFone 7.0.0-7.0.1 and 3.0.13-3.0.23 allows unauthenticated attackers to download the complete device configuration via crafted HTTP/HTTPS requests. Configuration files contain credentials and network settings. CRITICAL 9.8 1.2% 50
No patch
CVE-2025-59719 Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers to circumvent FortiCloud SSO login by sending a crafted SAML response message. The flaw stems from improper cryptographic signature verification (CWE-347), enabling forgery of authentication assertions. No public exploit identified at time of analysis, EPSS sits at 0.26% (50th percentile), and the issue is not currently listed in CISA KEV, though Fortinet products have historically been high-value targets. CRITICAL 9.8 0.3% 49
No patch
CVE-2026-26083 Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge. CRITICAL 9.8 0.0% 49
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy