Fortinet on Tuesday published eight advisories describing security defects addressed in FortiAuthenticator, FortiClient for Windows, FortiGate, FortiOS, and FortiSandbox, including two high-severity issues.
The most severe of these is CVE-2025-52436, an XSS bug in FortiSandbox that could be exploited via crafted requests to execute commands without authentication.
Next in line is CVE-2026-22153, an authentication bypass in FortiOS that can be exploited under certain configurations to bypass LDAP authentication of Agentless VPN or FSSO policy.
The company also rolled out fixes for medium-severity flaws in FortiOS, FortiAuthenticator, FortiGate, and FortiClient for Windows that could be exploited to obtain sensitive information, smuggle HTTP requests, modify user accounts, execute arbitrary code or commands, and write arbitrary files.
Of these, CVE-2025-68686 deserves special attention. Described as the exposure of sensitive information in FortiOS SSL-VPN, it is a bypass for patches deployed against previously exploited bugs, Fortinet says.
“It may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistence mechanism observed in some post-exploit cases, via crafted HTTP requests,” Fortinet says.
The flaw is linked to the exploitation of older Fortinet firewall vulnerabilities – CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 – and requires that the attacker first compromise the target product via a different security defect.
“This vulnerability can only be abused as a consequence of a threat actor exploiting a known vulnerability to implement read-only access to vulnerable FortiGate devices, at file system level. Products that never had SSL-VPN enabled are not impacted by this issue,” Fortinet explains.
The company’s fresh round of fixes came out only four days after a critical SQL injection flaw, tracked as CVE-2026-21643 (CVSS score of 9.1), was addressed in FortiClientEMS. The issue could be exploited remotely, without authentication, for arbitrary code execution via crafted HTTP requests.
Fortinet makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to patch them as soon as possible. Additional information can be found on the company’s PSIRT advisories page.
Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
Related: Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEM
Related: Fortinet Warns of New Attacks Exploiting Old Vulnerability
Related: In-the-Wild Exploitation of Fresh Fortinet Flaws Begins
