Warning: Multiple vulnerabilities were patched in Fortinet products, Patch Immediately!

Publié : 12/02/2026

Last update: 12/02/2026

Affected software:
→ FortiAuthenticator 6.3 all versions
→ FortiAuthenticator 6.4 all versions
→ FortiAuthenticator 6.5 all versions
→ FortiAuthenticator 6.6.0 through 6.6.6
→ FortiClientEMS 7.4.4
→ FortiClientWindows 7.0 all versions
→ FortiClientWindows 7.2.0 through 7.2.12
→ FortiClientWindows 7.4.0 through 7.4.4
→ FortiOS 6.4 all versions
→ FortiOS 7.0 all versions
→ FortiOS 7.2 all versions
→ FortiOS 7.2.0 through 7.2.11
→ FortiOS 7.4.0 through 7.4.6
→ FortiOS 7.4.0 through 7.4.9
→ FortiOS 7.6.0 through 7.6.4
→ FortiSandbox 4.0 all versions
→ FortiSandbox 4.2 all versions
→ FortiSandbox 4.4.0 through 4.4.7
→ FortiSandbox 5.0.0 through 5.0.1

Type: Multiple, including SQL Injection, authentication bypass, exposure of sensitive information, and Cross-site Scripting

CVE/CVSS
→ CVE-2026-22153: CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-21743: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-21643: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-68686: CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
→ CVE-2025-64157: CVSS 6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-62676: CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
→ CVE-2025-62439: CVSS 4.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)
→ CVE-2025-55018: CVSS 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
→ CVE-2025-52436: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Sources

<https://fortiguard.fortinet.com/psirt
https://www.fortiguard.com/psirt/FG-IR-25-661
https://www.fortiguard.com/psirt/FG-IR-25-384
https://www.fortiguard.com/psirt/FG-IR-25-795
https://www.fortiguard.com/psirt/FG-IR-25-1052
https://www.fortiguard.com/psirt/FG-IR-25-528
https://www.fortiguard.com/psirt/FG-IR-25-667
https://www.fortiguard.com/psirt/FG-IR-25-934
https://www.fortiguard.com/psirt/FG-IR-25-093
https://www.fortiguard.com/psirt/FG-IR-25-1142

Risks

Fortinet released advisories for vulnerabilities addressed in FortiAuthenticator, FortiClient for Windows, FortiGate, FortiOS, and FortiSandbox, including two high-severity issues.

The most severe, CVE-2025-52436, affects FortiSandbox system and its successful exploitation could result in command execution with high impact on confidentiality, integrity, and availability of the affected FortiSandbox system. Another high-severity vulnerability, CVE-2026-22153, affects FortiOS and could result in high confidentiality and integrity impact, allowing unauthorized access to sensitive systems and data.

Although rated low severity, CVE-2025-68686 deserves special attention. It is a sensitive information disclosure issue in FortiOS SSL-VPN that effectively bypasses patches for previously exploited vulnerabilities. It has been linked to earlier Fortinet firewall flaws (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) and can be leveraged after an attacker has already compromised the device through another vulnerability.

Additionally, Fortinet update resolves 6 other medium-severity vulnerabilities that could be exploited to obtain sensitive information, smuggle HTTP requests, modify user accounts, execute arbitrary code or commands, and write arbitrary files.

The new patches were released just days after Fortinet addressed a critical SQL injection vulnerability in FortiClient EMS, tracked as CVE-2026-21643 (CVSS 9.8).

Description

CVE-2025-52436, with a CVSS score of 8.8 (High), is an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FortiSandbox which may allow an unauthenticated attacker to execute commands via crafted requests.

CVE-2026-22153, having a CVSS score of 8.1, is an Authentication Bypass by Primary Weakness vulnerability in FortiOS fnbamd. Its exploitation may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration.

CVE-2025-68686, with a CVSS score of 5.9, is an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in FortiOS SSL-VPN which may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests.

The critical vulnerability previously patched, CVE-2026-21643, is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS which may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References