On April 14, 2026, Fortinet announced a series of security updates addressing 11 vulnerabilities across various products. These include two vulnerabilities classified as Critical, two as High, and seven that are Medium or Low. The affected products are FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. Enterprise network administrators are strongly encouraged to prioritize these patches immediately.
Critical Vulnerabilities Demand Immediate Attention
The most pressing issue is CVE-2026-39808, an OS command injection flaw in FortiSandbox and FortiSandbox PaaS, rated as Critical. This vulnerability, rooted in improper neutralization of elements used in OS commands, affects versions 4.4.4 to 4.4.8 of FortiSandbox and up to version 23.4.4374 of its PaaS counterpart. Exploitation could lead to arbitrary command execution, risking full system compromise.
Another Critical vulnerability, CVE-2026-39813, involves path traversal in FortiSandbox’s JRPC API. Affecting versions 5.0.1 through 5.0.5, this flaw could allow attackers to bypass authentication and escalate privileges without credentials, posing a significant threat.
High and Medium-Risk Flaws
CVE-2026-22828, rated High, is a heap-based buffer overflow vulnerability found in the oftpd daemon of FortiAnalyzer and FortiManager Cloud. This flaw, affecting versions 7.6.2 to 7.6.4, can be exploited remotely without authentication, allowing attackers to execute arbitrary code or disrupt the service.
An important Medium-risk vulnerability is CVE-2025-53847, which highlights a missing authentication issue in the CAPWAP daemon of FortiOS and FortiSwitchManager. This flaw, affecting FortiOS versions 7.4.8 to 7.6.3, is accessible without authentication from an internal network, necessitating prompt attention for segmented networks.
Additional Vulnerabilities and Mitigation Strategies
Other vulnerabilities include path traversal, cross-site scripting (XSS), and SQL injection risks. Notably, CVE-2026-25691 affects FortiSandbox’s vmimages delete feature, while CVE-2025-61886 presents a reflected XSS flaw in FortiSandbox’s interface.
Fortinet advises security teams to prioritize patches in descending order of severity and attack vector. Critical vulnerabilities in FortiSandbox should be addressed immediately, followed by high-risk flaws in FortiAnalyzer and FortiManager Cloud. All other vulnerabilities should be patched as soon as possible.
For detailed information on fixed versions, administrators are advised to consult Fortinet’s PSIRT portal and apply the necessary patches without delay. Keeping systems updated is crucial to maintaining network security and mitigating potential threats.
