Fortinet patches 11 flaws across FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox

Fortinet has released a new set of security advisories covering 11 vulnerabilities across several enterprise products, including FortiManager, FortiAnalyzer, FortiAnalyzer Cloud, FortiManager Cloud, FortiSwitchAXFixed, FortiSandbox, and FortiSandbox Cloud. The most urgent issues include two High-severity flaws that could let attackers execute unauthorized code or commands in exposed or unpatched environments.

The headline risks this month center on FortiManager and FortiSwitchAXFixed. Fortinet rates CVE-2025-54820, a stack-based buffer overflow in the FortiManager fgtupdates service, as High severity with a CVSS v3 score of 7.0. The company also rates CVE-2026-22627, a classic buffer overflow in the LLDP OUI field of FortiSwitchAXFixed, as High severity with a CVSS v3 score of 7.7. Both advisories list the impact as the ability to execute unauthorized code or commands.

For admins, this is a patch-now update. These products often sit close to management, analytics, or switching layers, which means even Medium-rated bugs can matter if they affect authentication paths, privilege boundaries, or administrative interfaces. That risk becomes more important when one release includes MFA bypass, lockout bypass, SQL injection, OS command injection, and privilege-escalation issues at the same time. This is an inference based on the affected products and Fortinet’s advisory summaries.

What Fortinet fixed on March 10, 2026

Fortinet’s PSIRT advisory center shows a March 10 batch that includes 11 published advisories relevant to this update set. They cover these issues:

Advisory	CVE	Product area	Severity	Main risk
FG-IR-26-086	CVE-2026-22627	FortiSwitchAXFixed	High	Execute unauthorized code or commands
FG-IR-26-098	CVE-2025-54820	FortiManager	High	Execute unauthorized code or commands
FG-IR-26-079	CVE-2026-22629	FortiManager / FortiAnalyzer / Cloud	Medium	Authentication lockout bypass
FG-IR-26-090	CVE-2026-22572	FortiManager / FortiAnalyzer / Cloud	Medium	MFA bypass in GUI
FG-IR-26-078	CVE-2025-68482	FortiManager / FortiAnalyzer	Medium	TLS certificate validation issue during initial SSO
FG-IR-26-096	CVE-2026-25836	FortiSandbox Cloud	Medium	OS command injection
FG-IR-26-081	CVE-2025-48418	FortiManager / FortiAnalyzer / Cloud	Medium	Privilege escalation via undocumented CLI command
FG-IR-26-085	CVE-2026-22628	FortiSwitchAXFixed	Medium	Shell command restriction bypass
FG-IR-26-092	CVE-2025-68648	FortiManager / FortiAnalyzer / Cloud	Medium	Format string issue via API
FG-IR-26-095	CVE-2025-49784	FortiAnalyzer / FortiAnalyzer-BigData	Medium	SQL injection in JSON-RPC API
FG-IR-26-091	CVE-2025-53608	FortiSandbox	Medium	Stored XSS in LDAP server option

Fortinet’s advisory index and the individual PSIRT notices support this list and show March 10, 2026, as the publication date for the advisories discussed here.

The two High-severity flaws deserve immediate attention

CVE-2026-22627 affects FortiSwitchAXFixed 1.0.0 and 1.0.1. Fortinet describes it as a classic buffer overflow in the LLDP OUI field and says the impact can include execution of unauthorized code or commands. The advisory carries a High severity rating and a CVSS v3 score of 7.7.

CVE-2025-54820 affects FortiManager. Fortinet says a stack-based buffer overflow in the fgtupdates service may allow a remote unauthenticated attacker to execute unauthorized commands through crafted requests if the service is enabled, and only if stack protection mechanisms do not block the attempt. The advisory lists FortiManager 7.4.0 through 7.4.2 and 7.2.0 through 7.2.10 as affected, while FortiManager 7.6 is not affected and FortiManager Cloud is not affected.

That second flaw stands out because it does not require prior authentication and hits a central management product. Even with the extra exploitation condition around stack protections, security teams should treat it seriously.

Authentication and access-control bugs add extra pressure

Fortinet also published several advisories that weaken authentication and admin safeguards rather than directly enabling command execution.

CVE-2026-22629, tracked as FG-IR-26-079, is an authentication lockout bypass via race condition in FortiManager, FortiAnalyzer, and their cloud variants. Fortinet describes it as an improper restriction of excessive authentication attempts vulnerability.

CVE-2026-22572, tracked as FG-IR-26-090, is an MFA bypass in the GUI of FortiManager, FortiAnalyzer, and related cloud products. Fortinet classifies it as an authentication bypass using an alternate path or channel.

CVE-2025-68482, tracked as FG-IR-26-078, affects initial SSO authentication in the FortiManager GUI. Fortinet says it involves improper certificate validation and rates it Medium severity with a 6.3 CVSS v3 score.

None of those bugs carries the top severity in this batch, but together they can chip away at core admin protections. That makes them important in real environments where attackers often chain smaller weaknesses into a larger compromise path. This conclusion is an inference based on Fortinet’s advisory summaries.

Command injection, privilege escalation, and API issues round out the release

Fortinet says CVE-2026-25836 in FortiSandbox Cloud is an OS command injection issue in the vmimages update feature. The advisory index lists it as FG-IR-26-096 and Medium severity.

CVE-2025-48418, tracked as FG-IR-26-081, allows privilege escalation through an undocumented CLI command in FortiManager and FortiAnalyzer. Fortinet says a remote authenticated read-only admin with CLI access may escalate privileges using a hidden command.

CVE-2026-22628, tracked as FG-IR-26-085, affects FortiSwitchAXFixed and can let an authenticated admin bypass shell command limitations through SSH local configuration overriding.

CVE-2025-49784, tracked as FG-IR-26-095, is an SQL injection flaw in the FortiAnalyzer JSON-RPC API. The advisory index lists FortiAnalyzer and FortiAnalyzer-BigData as affected.

CVE-2025-53608, tracked as FG-IR-26-091, is a stored XSS issue in the LDAP server option of FortiSandbox. Fortinet lists affected FortiSandbox versions in the advisory index and marks the issue Medium severity.

Products and fixes at a glance

Product	Key affected issues	What admins should do
FortiManager	CVE-2025-54820, CVE-2026-22629, CVE-2026-22572, CVE-2025-68482, CVE-2025-48418, CVE-2025-68648	Upgrade to fixed versions and disable fgtupdates if needed until patching completes
FortiAnalyzer	CVE-2026-22629, CVE-2026-22572, CVE-2025-68482, CVE-2025-48418, CVE-2025-49784, CVE-2025-68648	Upgrade affected branches and review admin exposure
FortiSwitchAXFixed	CVE-2026-22627, CVE-2026-22628	Patch 1.0.0 and 1.0.1 devices quickly
FortiSandbox Cloud	CVE-2026-25836	Patch and review GUI activity tied to updates
FortiSandbox	CVE-2025-53608	Patch affected releases and review stored-input vectors

This summary combines Fortinet’s advisory pages with the PSIRT index.

What admins should do now

• Patch the two High-severity issues first, especially FortiManager and FortiSwitchAXFixed.
• Check whether the fgtupdates service is enabled on FortiManager interfaces.
• Review MFA and SSO settings on FortiManager and FortiAnalyzer.
• Restrict CLI, API, and SSH access to trusted admin paths only.
• Audit logs for unusual authentication behavior, JSON-RPC activity, and unexpected update actions.
• Plan migration away from unsupported branches where Fortinet says to move to a fixed release.

Fortinet’s workaround for CVE-2025-54820 is clear. If patching cannot happen immediately, disable the fgtupdates service.

FAQ