FORTINET on Tuesday published eight advisories detailing security defects addressed across FortiAuthenticator, FortiClient for Windows, FortiGate, FortiOS and FortiSandbox, including two high-severity issues. The most severe is CVE-2025-52436, an XSS bug in FortiSandbox that could be exploited via crafted requests to execute commands without authentication.
Next is CVE-2026-22153, an authentication bypass in FortiOS that can be exploited under certain configurations to bypass LDAP authentication of Agentless VPN or FSSO policy. The company also rolled out fixes for medium-severity flaws in FortiOS, FortiAuthenticator, FortiGate and FortiClient for Windows that could be exploited to obtain sensitive information, smuggle HTTP requests, modify user accounts, execute arbitrary code or commands, and write arbitrary files.
Of these, CVE-2025-68686 is described as the exposure of sensitive information in FortiOS SSL-VPN and is a bypass for patches deployed against older vulnerabilities; it can be abused only after an attacker first compromises the target via another defect, according to Fortinet. Fortinet notes that these fixes come four days after a critical SQL injection flaw, CVE-2026-21643 (CVSS 9.1), was addressed in FortiClientEMS, which could be exploited remotely without authentication for arbitrary code execution.