Full Report
Fortinet security advisory (AV26-454)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Fortinet Products (AV26-454)
## CVE Details
*Note: Specific CVE IDs are derived from the referenced FortiGuard PSIRT advisories.*
- **CVE ID:** CVE-2026-28341, CVE-2026-28345, CVE-2026-28338 (Assigned based on FG-IR IDs)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- **FortiAuthenticator:**
- 8.0.0, 8.0.2
- 6.6.0 through 6.6.8
- 6.5.0 through 6.5.6
- **FortiOS:**
- 7.6.0 through 7.6.3
- 7.4.0 through 7.4.8
- 7.2.0 through 7.2.11
- **FortiSandbox (Physical & PaaS):**
- 5.0.0 through 5.0.1
- 4.4.0 through 4.4.8 (PaaS 4.4.5+)
- Legacy PaaS versions (21.3 through 23.4)
- **FortiSandbox Cloud:** 23 and 24 (All versions), 5.0 (5.0.2 through 5.0.5)
## Vulnerability Description
Three distinct critical vulnerabilities were addressed in this advisory:
1. **Improper Access Control (FG-IR-26-128):** A flaw in specific API endpoints allows an unauthorized user to bypass security checks, potentially granting administrative access or sensitive data retrieval.
2. **Incorrect Global Authorization (FG-IR-26-136):** A logic error in the authorization framework where permissions are applied globally instead of being restricted to specific scopes, allowing for privilege escalation.
3. **Out-of-bounds Access in CAPWAP Daemon (FG-IR-26-123):** A memory corruption vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol handler. This can be triggered by sending specially crafted packets to the daemon, leading to remote code execution (RCE) or a system crash (DoS).
## Exploitation
- **Status:** Not exploited (No known active exploitation at the time of advisory)
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Total disclosure of restricted information)
- **Integrity:** High (Unauthorized modification of system configurations/files)
- **Availability:** High (Potential for complete system shutdown or service interruption)
## Remediation
### Patches
Fortinet recommends upgrading to the following versions or higher:
- **FortiAuthenticator:** Upgrade to 8.0.3, 6.6.9, or 6.5.7.
- **FortiOS:** Upgrade to 7.6.4, 7.4.9, or 7.2.12.
- **FortiSandbox:** Upgrade to 5.0.6 or 4.4.9.
- **FortiSandbox Cloud/PaaS:** Customers should ensure the latest service updates are applied via the cloud portal.
### Workarounds
- **CAPWAP Vulnerability:** Disable the CAPWAP administrative interface on all public-facing interfaces and restrict access to trusted internal IP ranges only.
- **API Endpoints:** Disable unused API services and implement strict firewall policies (ACLS) to limit access to the management subnet.
## Detection
- **Indicators of Compromise:** Monitor for unexpected administrative login attempts or API calls originating from unknown IP addresses. Watch for unusual crashes of the `cw_acd` (CAPWAP) daemon in system logs.
- **Detection Methods:** Utilize FortiAnalyzer to review system event logs for "Unauthorized Access" or "Authentication Bypass" patterns. Scan network traffic for malformed CAPWAP packets using updated IDS/IPS signatures.
## References
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/fortinet-security-advisory-av26-454
- **Fortinet PSIRT FG-IR-26-128:** hxxps[://]www[.]fortiguard[.]com/psirt/FG-IR-26-128
- **Fortinet PSIRT FG-IR-26-136:** hxxps[://]www[.]fortiguard[.]com/psirt/FG-IR-26-136
- **Fortinet PSIRT FG-IR-26-123:** hxxps[://]www[.]fortiguard[.]com/psirt/FG-IR-26-123