FortiGuard Labs | FortiGuard Center - IR Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.

[FG-IR-20-105] Unauthenticated user can determine software-version information

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiMail may allow a remote, unauthenticated attacker to obtain potentially sensitive software-version information by reading a JavaScript file. Revised on 2025-03-28 00:00:00

Path traversal in csfd daemon

An improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiVoice and FortiWeb may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files and a remote unauthenticated attacker with the same network access to delete an arbitrary folder. Revised on 2025-03-20 00:00:00

Stack buffer overflow in CLI command

A stack-buffer overflow vulnerability [CWE-121] in FortiMail CLI may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI commands. Revised on 2025-03-19 00:00:00

[FG-IR-21-023] Multiple buffer overflows in FortiMail

Multiple instances of incorrect calculation of buffer size in FortiMail webmail and administrative interface and FortiNDR administrative interface may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests. Revised on 2025-03-18 00:00:00

RADIUS Protocol CVE-2024-3596

A fundamental design flaw within the RADIUS protocol has been proven to be exploitable, compromising the integrity in the RADIUS Access-Request process. The attack allows a malicious user to modify packets in a way that would be indistinguishable to a RADIUS client or server. To be successful, the attacker must have the ability to inject themselves between the client and server. Revised on 2025-03-14 00:00:00

Out-of-bounds Write in IPSEC Daemon

An Out-of-bounds Write in FortiOS IPSEC daemon may allow an unauthenticated attacker to perform a denial of service under certains conditions that are outside the control of the attacker. Revised on 2025-03-13 00:00:00

Permission escalation due to an Improper Privilege Management

An incorrect privilege assignment vulnerability [CWE-266] in the FortiOS security fabric may allow an authenticated admin whose access profile has the Security Fabric write permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control. Revised on 2025-03-13 00:00:00

Web application firewall rules bypass by using an empty filename

Two improper handling of syntactically invalid structure vulnerabilities [CWE-228] in FortiWeb may allow an unauthenticated attacker to bypass web firewall protections via HTTP/S crafted requests. Revised on 2025-03-13 00:00:00

Apache Camel Vulnerability - CVE-2025-27636

CVE-2025-27636Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components * camel-servlet * camel-jetty * camel-undertow * camel-platform-http * camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular: * The bean invocation (is only affected if you use any of the above together with camel-bean component). * The bean that can be called, has more than 1 method implemented. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean. The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.". Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.". Revised on 2025-03-11 00:00:00

Authenticated SQLI on CLI

Two improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiAnalyzer, FortiManager & FortiAnalyzer-BigData may allow a privileged attacker to execute unauthorized code or commands via specifically crafted CLI requests. Revised on 2025-03-11 00:00:00

Client-side enforcement of server-side security related to vm download feature

A client-side enforcement of server-side security vulnerability [CWE-602] in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. Revised on 2025-03-11 00:00:00

Cross Site Request Forgery in admin endpoint

A cross site request forgery vulnerability [CWE-352] in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. Revised on 2025-03-11 00:00:00

Directory Traversal Arbitrary File Write Vulnerability

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb API endpoint may allow an authenticated attacker with admin privileges to access and modify the filesystem. Revised on 2025-03-11 00:00:00

Exposure of Sensitive Information to an Unauthorized Actor

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agent's authorization header by other means to read the database password via crafted api requests Revised on 2025-03-11 00:00:00

Incorrect authorization in GUI console

An incorrect authorization vulnerability [CWE-863] in FortiSandbox may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu. Revised on 2025-03-11 00:00:00

Incorrect authorization in incident page

An incorrect authorization vulnerability [CWE-863] in FortiSIEM may allow an authenticated attacker to perform unauthorized operations on incidents via crafted HTTP requests. Revised on 2025-03-11 00:00:00

Multiple command injections on CLI

Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in FortiIsolator may allow an authenticated attacker with at least read-only admin permission and CLI access to execute unauthorized code via specifically crafted CLI commands. Revised on 2025-03-11 00:00:00

Multiple format string vulnerabilities

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb may allow a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands. Revised on 2025-03-11 00:00:00

OS Command Injection in administrative interface

Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] in FortiSandbox may allow a privileged attacker to execute unauthorized commands via crafted requests. Revised on 2025-03-11 00:00:00

OS command injection in CLI command

Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. Revised on 2025-03-11 00:00:00