Fortinet Patches 18 Security Holes, Including Critical Vulnerabilities
Cybersecurity firm Fortinet released 18 security advisories across various products on a single day in April. Several of these patches address critical and high-risk vulnerabilities, impacting products like FortiSandbox and FortiDDoS-F.
Cybersecurity firm Fortinet addressed a total of 18 security vulnerabilities across its product line in April. The company issued these updates on a single day, with several categorized as critical risks.
Two critical vulnerabilities affect the FortiSandbox operating system. Insufficient filtering of elements in commands allows unauthenticated attackers to execute unauthorized code or commands via manipulated HTTP requests (CVE-2026-39808, CVSS 9.1). A path traversal vulnerability in FortiSandbox's JRPC API (CVE-2026-39813, CVSS 9.1) also allows authentication bypass through carefully crafted HTTP requests.
Additionally, FortiDDoS-F versions 7.2.1 and 7.2.2 have an SQL injection vulnerability rated as high risk (CVE-2026-39815, CVSS 7.9). FortiAnalyzer Cloud and FortiManager Cloud versions 7.6 contain a high-risk heap-based buffer overflow vulnerability (CVE-2026-22828, CVSS 7.3) in their oftpd daemon, potentially allowing malicious code injection.
FortiClient EMS users should be aware of an SQL injection vulnerability (CVE-2026-39809, CVSS 7.1), also classified as high risk. Fortinet also closed numerous other vulnerabilities with medium or low risk ratings.
System administrators using Fortinet products are advised to verify their software versions and apply the available updates promptly to mitigate these security risks.