The disclosures affect FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, urging enterprise administrators to prioritize patching immediately.
The most severe vulnerability in this advisory batch is CVE-2026-39808 (FG-IR-26-100), a Critical-rated OS command injection flaw in FortiSandbox and FortiSandbox PaaS.
Rooted in CWE-122 (Improper Neutralization of Special Elements used in an OS Command), this unauthenticated API-accessible vulnerability affects FortiSandbox versions 4.4.4 through 4.4.8 and FortiSandbox PaaS versions up to 23.4.4374.
An unauthenticated remote attacker could exploit this flaw to execute arbitrary OS commands on the underlying system, potentially leading to full device compromise.
Equally alarming is CVE-2026-39813 (FG-IR-26-112), a Critical path traversal vulnerability (CWE-24) in FortiSandbox’s JRPC API.
This unauthenticated flaw affects FortiSandbox versions 5.0.1 through 5.0.5 and may allow attackers to bypass authentication mechanisms entirely and escalate privileges without any valid credentials, making it one of the most dangerous disclosures in this release cycle.
Rated High, CVE-2026-22828 (FG-IR-26-121) describes a heap-based buffer overflow (CWE-122) in the oftpd daemon of FortiAnalyzer Cloud and FortiManager Cloud.
Affecting versions 7.6.2 through 7.6.4, this unauthenticated, network-exposed vulnerability could be leveraged by a remote attacker to execute arbitrary code or crash the affected service. No authentication is required, significantly raising its exploitability profile.
CVE-2025-53847 (FG-IR-26-125) exposes a missing authentication for a critical function flaw (CWE-306) in the CAPWAP daemon of FortiOS and FortiSwitchManager.
Rated Medium and accessible without authentication from an internal network, the vulnerability affects FortiOS 7.4.8 through 7.6.3, making it a priority for organizations running segmented enterprise network environments.
CVE-2026-27316 (FG-IR-26-113) reveals an insufficiently protected credentials vulnerability (CWE-522) in FortiSandbox and FortiSandbox PaaS web GUI, specifically within the LDAP configuration page.
Rated Low, this externally accessible authenticated flaw affects FortiSandbox 5.0.1–5.0.5 and PaaS versions up to 23.4.4374, potentially exposing LDAP bind credentials to authenticated users with GUI access.
Fortinet addressed three separate path traversal vulnerabilities in this release. CVE-2026-25691 (FG-IR-26-115) targets FortiSandbox’s vmimages delete feature, enabling arbitrary directory deletion by authenticated GUI users.
CVE-2025-68649 (FG-IR-26-120) affects FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud CLI interfaces across the 7.6.x and 7.4.x branches, while CVE-2025-61624 (FG-IR-26-122) impacts FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager CLI components across multiple versions. All three are rated Medium and require authenticated internal access.
Multiple XSS vulnerabilities also appeared in this release. CVE-2026-39812 (FG-IR-26-110) introduces stored XSS risks across FortiSandbox and FortiSandbox PaaS 5.0.1–5.0.5, while CVE-2025-61886 (FG-IR-26-109) describes a reflected XSS flaw in FortiSandbox’s Operation Center interface, accessible to unauthenticated users from an internal position.
Rounding out the disclosures is CVE-2025-61848 (FG-IR-26-111), an SQL injection vulnerability (CWE-89) via the JSON RPC API in FortiAnalyzer and FortiManager versions 7.6.1–7.6.4, as well as their cloud counterparts. Authenticated internal access is required, but successful exploitation could allow attackers to manipulate backend database queries.
Security teams should prioritize patching in the following order based on severity and attack vector:
Administrators should consult Fortinet’s PSIRT portal for specific fixed versions and apply available patches without delay.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Fortinet Patches 11 Vulnerabilities Across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager appeared first on Cyber Security News.
SUNNYVALE, Calif., Apr. 15, 2026 – NTT Research, Inc., a division of NTT (TYO:9432), today announced the launch…
ProdCo.xyz – Network Solutions customer – (United States) Creative agencies use .xyz domains to build…
Simplicity is not the goal. It is the by-product of a good idea and modest…
A newly uncovered attack campaign is tricking users into installing remote access software on their…
Cybersecurity researchers have uncovered a large and organized network of malicious infrastructure quietly running inside…
A newly identified threat operation is exploiting one of the most widely used content discovery…
This website uses cookies.