A new cybersecurity advisory from the Multi-State Information Sharing and Analysis Center (MS-ISAC) is alerting organizations to multiple vulnerabilities affecting Fortinet products, some of which could allow attackers to execute arbitrary code on impacted systems. The advisory, identified as MS-ISAC Advisory 2026-003, was issued on January 13, 2026, and applies to a wide range of enterprise, government, and education-focused technologies.
Among the affected solutions are FortiSandbox, FortiWeb, and FortiVoice, along with FortiOS, FortiClientEMS, FortiSwitchManager, FortiProxy, FortiFone, FortiSIEM, and FortiSASE. FortiOS, Fortinet’s proprietary operating system, is particularly notable because it is used across multiple product lines, meaning vulnerabilities within it can have cascading effects.
FortiSandbox, which performs advanced threat detection by analyzing suspicious files and network traffic for zero-day malware and ransomware, is impacted by a server-side request forgery vulnerability. FortiWeb, a web application firewall designed to protect applications and APIs from attacks such as SQL injection and cross-site scripting, may also be indirectly affected through its reliance on FortiOS. FortiVoice, a unified communications platform that supports voice, chat, conferencing, and fax services, is impacted by a filesystem-related vulnerability that could allow file deletion under certain conditions.
Technical Details of MS-ISAC Advisory
MS-ISAC reports that the most severe vulnerabilities could allow arbitrary code execution within the context of affected service accounts. If those service accounts are configured with elevated privileges, an attacker could install programs, alter or delete data, or create new accounts with full user rights. Systems that enforce least-privilege access models may experience reduced impact.
One of the most critical issues is a heap-based buffer overflow vulnerability (CWE-122) in the cw_acd daemon used by FortiOS and FortiSwitchManager. Identified as CVE-2025-25249, this flaw could allow a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted requests. Another high-severity vulnerability affects FortiSIEM, where an OS command injection flaw (CWE-78) tracked as CVE-2025-64155 could allow unauthenticated attackers to execute unauthorized commands via crafted TCP requests.
Lower-severity vulnerabilities were also documented. These include a path traversal vulnerability in FortiVoice (CVE-2025-58693), an SQL injection flaw in FortiClientEMS (CVE-2025-59922), an SSRF vulnerability in FortiSandbox (CVE-2025-67685), and an information disclosure issue in the FortiFone web portal (CVE-2025-47855).
Affected Versions, Risk Ratings, and Mitigation Guidance
The advisory lists a wide range of affected versions. FortiVoice versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.7 are impacted, while FortiSandbox versions 5.0.0 through 5.0.4 and all versions of 4.4, 4.2, and 4.0 are also affected. FortiOS versions from 6.4.0 through 7.6.3 are included, alongside multiple releases of FortiClientEMS, FortiSwitchManager, FortiSIEM, FortiFone, and FortiSASE.
MS-ISAC assesses the risk as high for large and medium government organizations and businesses, medium for small government entities and small businesses, and low for home users. At the time of issuance, there were no reports of active exploitation in the wild.
To reduce risk, MS-ISAC recommends applying Fortinet’s stable channel updates as soon as possible following appropriate testing. Additional guidance includes maintaining a formal vulnerability management and remediation process, conducting regular automated patching and vulnerability scans, and performing periodic penetration testing.
Organizations are also advised to enforce least-privilege access, manage default and administrative accounts carefully, enable anti-exploitation protections, and segment networks to limit potential lateral movement.
