Fortinet fixes seven new security warnings on July 14, 2026. These affect FortiOS, FortiProxy, FortiPAM, and FortiSandbox. The issues vary from minor header problems to more serious buffer overflows and a troubling issue with VNC access in FortiSandbox.
While none carry a critical rating, several affect widely deployed enterprise firewall and proxy versions, making prompt patching a priority for security teams.
The warnings cover important Fortinet products used for security at company borders: FortiOS (versions 7.0 to 8.0), FortiProxy (7.2 to 7.6), FortiPAM (1.4 to 1.9), and FortiSandbox (4.4 to 5.2).
Unpatched instances are a real risk because these platforms are very important for network defense. This is especially true when attackers can see components like SSL-VPN or captive portals.
Two big flaws are clear for real risk. CVE-2026-59839 (path traversal) is serious because a logged-in attacker with limited command line access could delete important root files, leading to service outages or device issues.
| CVE | Vulnerability | Component | Access | Severity |
|---|---|---|---|---|
| CVE-2025-43892 | Buffer over-read (CWE-126) in authd and wad daemon | CLI | Authenticated | Medium |
| CVE-2025-62675 | HTTP response splitting via CRLF injection in Web Filter warning page | Others | Unauthenticated | Low |
| CVE-2025-62826 | HTTP response splitting via CRLF injection in captive portal auth form | Others | Unauthenticated | Low |
| CVE-2026-59839 | Path traversal (CWE-22) enabling root filesystem deletion via CLI | CLI | Authenticated | Medium |
| CVE-2026-23573 | Reflected XSS in SSL-VPN | SSL-VPN | Unauthenticated | Medium |
| CVE-2026-59837 | Stack-based buffer overflow (CWE-121) in log report generation | GUI | Authenticated | Medium |
| CVE-2026-59835 | Unauthenticated VNC exposed on all interfaces (CWE-668) | Others | Unauthenticated | Not disclosed |
CVE-2026-59835 in FortiSandbox is likely the most important issue. It reveals VNC without a password on all network connections. This could let an attacker, without a login, access the sandbox directly. The sandbox is usually trusted to check harmful files in safe spaces.
The two CRLF bugs (FG-IR-26-152 and FG-IR-26-153) let attackers split responses on the Web Filter warning page and the captive portal login form.
These have low severity but can be linked with phishing or cache-poisoning methods to change what users see when using FortiOS-controlled network access points.
The XSS issue in SSL-VPN (CVE-2026-23573) does not need a login and is available on the web. This means bad actors can make harmful links aimed at users who go to the SSL-VPN portal. This is a common way attackers have used Fortinet devices in past real-life attacks.
Defender Guidance
Apply Fortinet’s official patches for FortiOS, FortiProxy, FortiPAM, and FortiSandbox immediately, prioritizing internet-facing SSL-VPN and captive portal deployments.
Restrict CLI access to trusted administrators only, given two flaws require authenticated CLI access.
Audit FortiSandbox network exposure and disable VNC access on interfaces where it isn’t explicitly required.
Monitor Fortinet’s PSIRT advisories for updated CVSS scores and any confirmed in-the-wild exploitation.
InfoSecBulletin Cybersecurity for mankind
