Source linked

Three CVEs in FortiOS, FortiProxy, and FortiSandbox Enable Remote Code Execution

cert.ssi.gouv.fr@threat_watch3 hours ago·Cybersecurity·1 comments

CERT-FR flags arbitrary code execution and data theft across FortiOS 7.2.x/7.4.x/7.6.x, FortiPortal, FortiProxy, and FortiSandbox - patch now.

fortinetfortiosfortiproxyfortisandboxcve 2025 67862cve 2026 25089

Three new CVEs in Fortinet’s product line — CVE-2025-67862, CVE-2026-25089, and CVE-2026-49938 — give attackers remote code execution and data exfiltration across FortiOS, FortiPortal, FortiProxy, and FortiSandbox. France’s CERT-FR published advisory CERTFR-2026-AVI-0725 on June 10, 2026, citing three Fortinet PSIRT bulletins from June 9: FG-IR-26-140, FG-IR-26-141, and FG-IR-26-143.

Which Products and Versions Are Vulnerable

FortiOS 7.2.x before 7.2.11, 7.4.x before 7.4.8, and 7.6.x before 7.6.3 are among the most critical targets — these are the firewalls that anchor many enterprise networks. FortiPortal versions 7.4.x before 7.4.8 and anything before 7.2.9 are also exposed. FortiProxy 7.2.x below 7.2.15, 7.4.x below 7.4.11, and 7.6.x below 7.6.4 widen the blast radius to web proxy infrastructure. FortiSandbox (including Cloud and PaaS instances) in versions 4.4.x before 4.4.9 and 5.0.x before 5.0.6 — used for advanced threat detection — are themselves the vulnerable inspection engines.

What Attackers Can Do With These Bugs

Each CVE allows arbitrary remote code execution, meaning an unauthenticated (or minimally authorized) attacker can plant a payload on the affected appliance. Once inside, they can pivot to adjacent networks, install persistence, or siphon off the encrypted data the appliance processes. The advisory also flags “atteinte à la confidentialité des données” — data confidentiality breach — which suggests the bugs may leak sensitive information like VPN keys, policy configurations, or decrypted traffic. These aren’t denial-of-service annoyances; they are full compromise primitives.

Where to Get the Fixes

Fortinet’s PSIRT pages for FG-IR-26-140, FG-IR-26-141, and FG-IR-26-143 contain the specific version cutoffs and update instructions. If you’re running any of the listed versions, there is no workaround — upgrade to the patched release immediately. Given that FortiOS and FortiProxy often sit at the network perimeter, delaying remediation leaves your entire edge exposed. The three CVEs are tracked individually, but the advisory treats them as a coordinated release: patch all three at once to close every hole.

Source: Multiples vulnérabilités dans les produits Fortinet (10 juin 2026)
Domain: cert.ssi.gouv.fr

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
ServiceNow Bug Exposed Customer Data Without Any Login Required

A bug in ServiceNow's platform let unauthenticated users access customer instances; the June 5 patch fixes it, but the exposure scope remains unknown.

FreeBSD Privilege Escalation Flaw Hits Six Version Lines at Once

CVE-2026-49413 forces patching across FreeBSD branches 14, 14.3, 14.4, 15, 15.0, and 15.1 with specific build thresholds.

30+ CVEs in Microsoft Office Demand Immediate Patching

CERT-FR warns of 31 vulnerabilities across Office 2016, 2019, LTSC, and 365, enabling remote code execution, privilege escalation, and data theft.

Notepad++ Path Traversal Bypass Silently Executes Arbitrary Code

CVE-2026-52884 exploits a prefix-based directory check that fails to canonicalize paths, letting `C:\Windows\System32\..\..\payload.exe` run without any warning dialog.

Comments load interactively on the live page.