By rssfeeds-admin 
The disclosures affect FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, urging enterprise administrators to prioritize patching immediately.
Critical FortiSandbox PaaS Flaws
The most severe vulnerability in this advisory batch is CVE-2026-39808 (FG-IR-26-100), a Critical-rated OS command injection flaw in FortiSandbox and FortiSandbox PaaS.
Rooted in CWE-122 (Improper Neutralization of Special Elements used in an OS Command), this unauthenticated API-accessible vulnerability affects FortiSandbox versions 4.4.4 through 4.4.8 and FortiSandbox PaaS versions up to 23.4.4374.
An unauthenticated remote attacker could exploit this flaw to execute arbitrary OS commands on the underlying system, potentially leading to full device compromise.
Equally alarming is CVE-2026-39813 (FG-IR-26-112), a Critical path traversal vulnerability (CWE-24) in FortiSandbox’s JRPC API.
This unauthenticated flaw affects FortiSandbox versions 5.0.1 through 5.0.5 and may allow attackers to bypass authentication mechanisms entirely and escalate privileges without any valid credentials, making it one of the most dangerous disclosures in this release cycle.
Rated High, CVE-2026-22828 (FG-IR-26-121) describes a heap-based buffer overflow (CWE-122) in the oftpd daemon of FortiAnalyzer Cloud and FortiManager Cloud.
Affecting versions 7.6.2 through 7.6.4, this unauthenticated, network-exposed vulnerability could be leveraged by a remote attacker to execute arbitrary code or crash the affected service. No authentication is required, significantly raising its exploitability profile.
Authentication and Access Control Gaps
CVE-2025-53847 (FG-IR-26-125) exposes a missing authentication for a critical function flaw (CWE-306) in the CAPWAP daemon of FortiOS and FortiSwitchManager.
Rated Medium and accessible without authentication from an internal network, the vulnerability affects FortiOS 7.4.8 through 7.6.3, making it a priority for organizations running segmented enterprise network environments.
CVE-2026-27316 (FG-IR-26-113) reveals an insufficiently protected credentials vulnerability (CWE-522) in FortiSandbox and FortiSandbox PaaS web GUI, specifically within the LDAP configuration page.
Rated Low, this externally accessible authenticated flaw affects FortiSandbox 5.0.1–5.0.5 and PaaS versions up to 23.4.4374, potentially exposing LDAP bind credentials to authenticated users with GUI access.
Path Traversal, Cross-Site Scripting, and SQL Injection Vulnerabilities
Fortinet addressed three separate path traversal vulnerabilities in this release. CVE-2026-25691 (FG-IR-26-115) targets FortiSandbox’s vmimages delete feature, enabling arbitrary directory deletion by authenticated GUI users.
CVE-2025-68649 (FG-IR-26-120) affects FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud CLI interfaces across the 7.6.x and 7.4.x branches, while CVE-2025-61624 (FG-IR-26-122) impacts FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager CLI components across multiple versions. All three are rated Medium and require authenticated internal access.
Multiple XSS vulnerabilities also appeared in this release. CVE-2026-39812 (FG-IR-26-110) introduces stored XSS risks across FortiSandbox and FortiSandbox PaaS 5.0.1–5.0.5, while CVE-2025-61886 (FG-IR-26-109) describes a reflected XSS flaw in FortiSandbox’s Operation Center interface, accessible to unauthenticated users from an internal position.
Rounding out the disclosures is CVE-2025-61848 (FG-IR-26-111), an SQL injection vulnerability (CWE-89) via the JSON RPC API in FortiAnalyzer and FortiManager versions 7.6.1–7.6.4, as well as their cloud counterparts. Authenticated internal access is required, but successful exploitation could allow attackers to manipulate backend database queries.
Mitigations
Security teams should prioritize patching in the following order based on severity and attack vector:
- Immediately: CVE-2026-39808 and CVE-2026-39813 (Critical, unauthenticated FortiSandbox flaws)
- Urgently: CVE-2026-22828 (High, unauthenticated heap overflow in FortiAnalyzer/FortiManager Cloud)
- High priority: CVE-2025-53847 (Medium, unauthenticated CAPWAP daemon in FortiOS)
- Scheduled patching: All remaining Medium and Low findings across FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager
Administrators should consult Fortinet’s PSIRT portal for specific fixed versions and apply available patches without delay.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Fortinet Patches 11 Vulnerabilities Across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.