The Multi-State Information Sharing and Analysis Center (MS-ISAC) has issued Advisory 2026-003, warning organizations about multiple critical vulnerabilities impacting various Fortinet products. The advisory, which applies to a broad spectrum of enterprise, government, and education-focused technologies, highlights flaws that could potentially enable attackers to execute arbitrary code or create new user accounts with full administrative rights on affected systems.
On an unspecified date, the MS-ISAC released Advisory 2026-003, detailing several security vulnerabilities within Fortinet‘s product ecosystem. The affected solutions include FortiSandbox, FortiWeb, FortiVoice, FortiOS, FortiClientEMS, FortiSwitchManager, FortiProxy, FortiFone, FortiSIEM, and FortiSASE. According to The Cyber Express News, FortiOS, Fortinet‘s proprietary operating system, is particularly significant due to its widespread use across multiple product lines.
The advisory indicates that some of these vulnerabilities could allow remote, unauthenticated attackers to compromise systems. Specifically, issues such as a filesystem-related flaw in FortiVoice could enable attackers to execute arbitrary code or create new accounts with full user rights. Systems that employ least-privilege access models may experience a reduced impact from these exploits, as per MS-ISAC reports.
One of the most critical issues identified is a heap-based buffer overflow vulnerability, categorized as CWE-122, found in the cw_acd daemon used by FortiOS and FortiSwitchManager. This flaw, tracked as CVE-2025-25249, could allow a remote, unauthenticated attacker to execute arbitrary code. A buffer overflow occurs when a program attempts to write data to a buffer beyond its allocated memory, potentially corrupting adjacent memory and leading to unexpected behavior, including arbitrary code execution. Separately, an SQL injection flaw was also noted to affect certain versions of Fortinet products, which could allow attackers to manipulate database queries. FortiWeb, a web application firewall designed to protect applications, may also be indirectly affected through its reliance on FortiOS.
A wide range of versions are impacted by these vulnerabilities. FortiVoice versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.7 are affected. FortiSandbox versions 5.0.0 through 5.0.4, along with all versions of 4.4, 4.2, and 4.0, are also vulnerable. FortiOS versions from 6.4.0 through 7.6.3 are included, alongside multiple releases of FortiClientEMS, FortiSwitchManager, FortiSIEM, FortiFone, and FortiSASE.
The vulnerabilities stem from various software defects, including the heap-based buffer overflow in the cw_acd daemon and filesystem-related issues, as reported by MS-ISAC. These types of flaws often arise from errors in software development, particularly concerning memory management and input validation. The presence of these vulnerabilities underscores the ongoing challenge of securing complex software ecosystems, especially in widely deployed platforms like FortiOS that underpin numerous other products.
The exact date of the MS-ISAC Advisory 2026-003’s issuance is not specified in the provided information. Details regarding whether these vulnerabilities have been actively exploited in the wild are also not explicitly stated in the source material.
MS-ISAC assesses the risk of these vulnerabilities as significant and advises organizations to prioritize remediation efforts. This typically involves applying vendor-provided patches or updates as soon as they become available. Organizations are also encouraged to conduct regular automated patching and vulnerability scans, in addition to performing periodic penetration testing to identify and address weaknesses proactively. The advisory emphasizes the importance of a robust security posture to mitigate potential impacts from such flaws.
- Organizations should immediately review the MS-ISAC Advisory 2026-003 for specific affected versions and apply all available patches or updates from Fortinet.
- Enforce least-privilege access models across all systems to limit the potential impact of compromised accounts.
- Carefully manage default and administrative accounts, ensuring strong, unique credentials and regular audits.
- Enable anti-exploitation protections where possible to add layers of defense against known and unknown attack techniques.
- Segment networks to contain potential breaches and limit the lateral movement of attackers within an environment.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
