Fortinet has issued a comprehensive security alert on March 10, 2026, addressing a series of vulnerabilities found in its principal enterprise software, namely FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox. These vulnerabilities, which include authentication bypasses, buffer overflows, OS command injection, and SQL injection, pose significant risk as they could be exploited by remote attackers to execute unauthorized commands or escalate privileges on compromised systems.
High-Severity Vulnerabilities
Among the identified vulnerabilities, two have been classified with a High severity rating, representing the greatest threat to systems that have not been patched. CVE-2026-22627, a Classic Buffer Overflow in the LLDP OUI field of FortiSwitchAXFixed versions 1.0.0 and 1.0.1, may enable attackers to execute arbitrary code by overwriting adjacent memory. Another critical issue, CVE-2025-54820, involves a Stack-based Buffer Overflow in the FortiManager fgtupdates service, affecting versions 7.4.0 through 7.4.2 and 7.2.9 through 7.2.10. This flaw could lead to remote code execution if exploited through a crafted update request.
Authentication Bypass Risks
Three vulnerabilities have been discovered that compromise authentication across FortiManager and FortiAnalyzer, posing significant access control threats. CVE-2026-22629 highlights an improper restriction of excessive authentication attempts in FortiAnalyzer and FortiManager versions 7.6.0–7.6.4, allowing attackers to bypass lockouts via a race condition. CVE-2026-22572 allows an authentication bypass using an alternate path or channel in the GUI, affecting similar versions and enabling attackers to circumvent multi-factor authentication. Additionally, CVE-2025-68482 exposes improper TLS certificate validation during SSO authentication, potentially allowing interception via a man-in-the-middle attack.
Command Injection and Privilege Escalation Threats
CVE-2026-25836 is an OS Command Injection vulnerability in the vmimages update feature of FortiSandbox Cloud 5.0.4, which might allow authenticated attackers to run arbitrary OS commands through the GUI. CVE-2025-48418 reveals an undocumented CLI feature in FortiManager and FortiAnalyzer versions 7.6.0–7.6.3 that could be exploited to escalate privileges. Another issue, CVE-2026-22628, notes improper access control in FortiSwitchAXFixed, allowing admin users to bypass command restrictions via SSH.
In addition to these, the advisory includes several medium-rated vulnerabilities, such as a format string vulnerability in the fazsvcd component and an SQL Injection flaw in the FortiAnalyzer JSON-RPC API.
Recommended Actions
Organizations using impacted Fortinet products should immediately apply the released patches, especially focusing on the high-severity buffer overflow issues. It is crucial to audit administrative access and verify MFA configurations on FortiManager and FortiAnalyzer. Limiting CLI and SSH access to trusted admins and monitoring for unusual behaviors in logs are also advised steps. FortiSandbox Cloud environments should be reviewed for any command injection attempts. Fortinet’s full technical advisories are available through the FortiGuard PSIRT portal, and administrators are encouraged to verify their installed versions against the affected lists.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Contact us to share your stories.
