MDR
Solutions
Partners
About
Resources
Multiple vulnerabilities have been identified across Fortinet products including FortiOS (SSL-VPN, fnbamd, and FSSO components), FortiGate, and FortiSandbox. The most severe issues could enable unauthenticated exploitation paths that result in command/code execution, authentication bypass, firewall policy evasion, sensitive information exposure, or denial-of-service. If exploited in the context of privileged services or administrative workflows, attackers may be able to alter security configurations, create or abuse administrative accounts, and gain sustained control of perimeter devices. FortiSandbox is impacted by CVE-2025-52436 affecting 5.0.0–5.0.1 and 4.4.0–4.4.7, with vendor fixes available in later releases (or migration to fixed trains where required). FortiOS is affected across multiple branches, with fixes generally delivered via point upgrades (for example 7.6.x and 7.4.x patched releases) or requiring migration from unsupported trains. Organizations running exposed SSL-VPN services or heavily relied-on perimeter enforcement devices face increased risk where vulnerable versions remain deployed.
CVE
CVE-2025-52436
CVE-2025-68686
CVE-2025-55018
CVE-2026-22153
CVE-2025-64157
CVE-2025-62439
Targeting / Delivery Mechanism
Attackers may target internet-facing SSL-VPN or web-exposed services using crafted HTTP requests and headers. Some issues require authenticated administrative access (configuration-driven abuse), while at least one scenario assumes prior filesystem-level compromise before the technique becomes useful. LDAP-dependent deployments may be exposed under specific directory configurations.
Execution Technique
Techniques include request smuggling to pass unlogged traffic through policy enforcement, authentication bypass in fnbamd under specific LDAP configurations, information exposure in SSL-VPN post-exploit scenarios, and crafted web requests against FortiSandbox input handling. A configuration-based format-string weakness may allow authenticated administrators to execute unauthorized code/commands.
Persistence / Deployment
If perimeter appliances are compromised, attackers can persist by creating admin users, weakening policies, and modifying authentication or inspection behavior to support repeated access and lateral movement.
Operational Impact
Risk is assessed as High for large and medium government and business entities and Medium for smaller organizations due to the critical role Fortinet appliances play in perimeter defense, VPN access, and authentication enforcement. Successful exploitation could permit unauthorized remote access, policy bypass, administrative takeover, or suppression of logging visibility. Because these devices sit at network boundaries, compromise may undermine segmentation controls and enable lateral movement into internal systems. Authentication bypass and request smuggling conditions significantly increase the likelihood of stealth access and follow-on exploitation. If administrative functions are abused, attackers may modify configurations to maintain access or weaken inspection controls, resulting in extended dwell time and increased data exposure risk.
Validate Integrity
Identify all FortiOS, FortiGate, and FortiSandbox deployments and confirm running versions against vendor fixed releases. Review SSL-VPN, HTTP, and LDAP authentication logs for anomalous requests or unexpected bypass behavior. Audit administrative account creation and configuration change history.
Respond to Confirmed Compromise
Immediately upgrade affected systems to vendor-recommended patched versions. Rotate administrative, VPN, and directory service credentials. Restore firewall and authentication configurations to validated baselines. Conduct forensic review where unauthorized access is suspected.
Strengthen Preventative Controls
Limit exposure of management and VPN interfaces, enforce network segmentation, and apply least privilege to administrative accounts. Maintain structured vulnerability management, routine patching, and regular external scanning of perimeter services.
References
https://www.fortiguard.com/psirt/FG-IR-25-093
https://www.fortiguard.com/psirt/FG-IR-25-934
https://www.fortiguard.com/psirt/FG-IR-25-667
https://www.fortiguard.com/psirt/FG-IR-25-1052
https://www.fortiguard.com/psirt/FG-IR-25-795
https://www.fortiguard.com/psirt/FG-IR-25-384
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)