Fortinet Product Security Update Advisory

Mar 05 2026

Overview

Fortinet have released security updates that address vulnerabilities in its products. Users of affected products are advised to update to the latest version.

Affected Products

CVE-2025-25249

FortiOS 7.6 versions: 7.6.0 and later and 7.6.3 and earlier
FortiOS 7.4 versions: 7.4.0 and earlier and 7.4.8 and earlier
FortiOS 7.2 versions: 7.2.0 or later and 7.2.11 or later
FortiOS 7.0 versions: 7.0.0 or later and 7.0.17 or later
FortiOS 6.4 versions: 6.4 all versions
FortiSwitchManager 7.2 versions: 7.2.0 or later and 7.2.6 or later
FortiSwitchManager 7.0 versions: 7.0.0 or later and 7.0.5 or earlier

CVE-2025-47855

FortiFone 7.0 versions: 7.0.0 and later and 7.0.1 and earlier
FortiFone 3.0 version: 3.0.13 or later and 3.0.23 or earlier

CVE-2025-52436

FortiSandbox 5.0 versions: 5.0.0 or later and 5.0.1 or earlier
FortiSandbox 4.4 versions: 4.4.0 or later and 4.4.7 or earlier
FortiSandbox 4.2 versions: All 4.2 versions
FortiSandbox 4.0 versions: 4.0 all versions

CVE-2026-22153

FortiOS 7.6 versions: 7.6.0 and later to 7.6.4 and later

Resolved Vulnerabilities

Heap-based buffer overflow vulnerability in FortiOS and FortiSwitchManager (CVE-2025-25249)
Sensitive information disclosure vulnerability in FortiFone web portal pages (CVE-2025-47855)
Cross-site scripting vulnerability in FortiSandbox (CVE-2025-52436)
LDAP authentication bypass vulnerability in the fnbamd component of FortiOS (CVE-2026-22153)

Vulnerability Patches

Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest version of Vulnerability Patches.

CVE-2025-25249

FortiOS 7.6 versions: 7.6.4 and later
FortiOS 7.4 versions: 7.4.9 and later
FortiOS 7.2 versions: 7.2.12 and later
FortiOS 7.0 versions: 7.0.18 and later
FortiOS 6.4 versions: Migrating to a Revised Release
FortiSwitchManager 7.2 versions: 7.2.7 and later
FortiSwitchManager 7.0 versions: 7.0.6 and later

CVE-2025-47855

FortiFone 7.0 versions: 7.0.2 and later
FortiFone 3.0 versions: 3.0.24 and later

CVE-2025-52436

FortiSandbox 5.0 versions: 5.0.2 and later
FortiSandbox 4.4 versions: 4.4.8 and later
FortiSandbox 4.2 versions: Migrating to a Revised Release
FortiSandbox 4.0 versions: Migrating to a Revised Release

CVE-2026-22153

FortiOS 7.6 versions: 7.6.5 and later

References

[1] Heap-based buffer overflow in cw_acd daemon
https://fortiguard.fortinet.com/psirt/FG-IR-25-084
[2] Unauthenticated access to local configuration
https://fortiguard.fortinet.com/psirt/FG-IR-25-260
[3] XSS via back button
https://fortiguard.fortinet.com/psirt/FG-IR-25-093
[4] LDAP authentication bypass in Agentless VPN and FSSO
https://fortiguard.fortinet.com/psirt/FG-IR-25-1052

Fortinet Product Security Update Advisory

Mozilla Product Security Update Advisory (CVE-2026-2032)

Google Chrome browser (145.0.7632.159/160) security update advisory

Tags:

Mozilla Product Security Update Advisory (CVE-2026-2032)

Google Chrome browser (145.0.7632.159/160) security update advisory