Fortinet Patches 11 Flaws in FortiManager, FortiAnalyzer, FortiSandbox

Fortinet released a sweeping security advisory on March 10, 2026, addressing eleven vulnerabilities across FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox. The flaws range from authentication bypasses to SQL injection and buffer overflows—several enabling remote code execution without authentication.

Two vulnerabilities received High severity ratings, and all organizations running affected products should prioritize patching given Fortinet's recent history of rapid exploitation following disclosure.

Critical Vulnerabilities

CVE-2026-22572 - MFA Bypass (High)

An authentication bypass vulnerability in the GUI of FortiAnalyzer and FortiManager versions 7.6.0 through 7.6.3 allows attackers to bypass multi-factor authentication entirely. This flaw affects both on-premises deployments and corresponding Cloud versions.

CVE-2026-22629 - Auth Lockout Race Condition (High)

A race condition in FortiAnalyzer and FortiManager versions 7.6.0 through 7.6.4 enables attackers to bypass authentication lockout protections. Combined with credential stuffing, this could allow brute-force attacks that would normally trigger account lockouts.

CVE-2026-22627 - Buffer Overflow in FortiSwitchAXFixed

A classic buffer overflow in the LLDP OUI field affects FortiSwitchAXFixed versions 1.0.0 and 1.0.1. Successful exploitation could enable arbitrary code execution on the network switch.

SQL Injection and Format String Flaws

CVE-2025-49784 - SQL Injection via JSON-RPC API

The FortiAnalyzer JSON-RPC API contains an SQL injection vulnerability affecting versions 7.6.0 through 7.6.4 and FortiAnalyzer-BigData. Attackers with API access could extract sensitive data or modify database contents.

CVE-2025-68648 - Format String in fazsvcd

A format string vulnerability in the fazsvcd component of FortiAnalyzer and FortiManager, exposed via API, could allow attackers to execute arbitrary code or cause denial of service.

Certificate and TLS Vulnerabilities

CVE-2025-68482 - Improper TLS Certificate Validation

During initial SSO authentication in the FortiManager GUI, improper TLS certificate validation could allow man-in-the-middle attackers to intercept or manipulate the authentication process. This affects versions 7.6.0 through 7.6.4 of both FortiAnalyzer and FortiManager.

Affected Products and Versions

Product	Affected Versions	Fixed Version
FortiManager	7.6.0 - 7.6.4	7.6.5+
FortiAnalyzer	7.6.0 - 7.6.4	7.6.5+
FortiAnalyzer-BigData	7.6.x	7.6.5+
FortiSwitchAXFixed	1.0.0, 1.0.1	1.0.2+
FortiManager Cloud	7.6.x	Latest
FortiAnalyzer Cloud	7.6.x	Latest

Recommended Actions

Organizations should take the following steps immediately:

1. Apply patches to all affected FortiManager, FortiAnalyzer, and FortiSwitch deployments
2. Audit MFA configurations to ensure authentication flows are functioning correctly
3. Review administrative access logs for signs of unauthorized access attempts
4. Validate TLS certificates used in SSO authentication chains
5. Restrict API access to trusted networks pending patching

For organizations unable to patch immediately, Fortinet recommends disabling affected features where possible and implementing strict network segmentation around management interfaces.

Why This Matters

FortiManager and FortiAnalyzer serve as centralized management platforms for Fortinet security infrastructure—often controlling hundreds or thousands of firewalls, switches, and endpoints. Compromise of these systems gives attackers administrative control over an organization's entire Fortinet deployment.

The MFA bypass (CVE-2026-22572) is particularly concerning. Organizations deploy MFA specifically to prevent credential-based attacks, and a complete bypass defeats that protection. Combined with the authentication lockout race condition, attackers have multiple paths to bypass authentication controls.

Fortinet products have faced sustained targeting by threat actors throughout 2025 and 2026, with some vulnerabilities exploited within days of disclosure. The company's widespread deployment in enterprise and government networks makes these products high-value targets for both nation-state actors and ransomware groups.

Security teams managing Fortinet infrastructure should treat this advisory as urgent and plan patching windows accordingly. Given the pattern of rapid weaponization we've seen with Fortinet vulnerabilities, waiting carries significant risk.