Buffer Overflow in FortiSwitchAXFixed LLDP OUI Field Allows Remote Code Execution
Fortinet disclosed a buffer overflow vulnerability in FortiSwitchAXFixed that lets an unauthenticated attacker on the same adjacent network execute arbitrary code via a crafted LLDP packet.
Fortinet has disclosed a buffer overflow vulnerability in its FortiSwitchAXFixed product line that could allow an unauthenticated attacker on the same adjacent network to execute arbitrary code or commands on the device. The flaw, tracked as FG-IR-26-086 with a pending CVE identifier, resides in the handling of the Organizationally Unique Identifier (OUI) field within Link Layer Discovery Protocol (LLDP) packets. A classic buffer copy without proper size checking (CWE-120) enables the overflow when a specially crafted LLDP packet with an oversized OUI field is sent to an affected device.
The vulnerability affects FortiSwitchAXFixed versions 1.0.0 through 1.0.1. Fortinet has assigned a CVSSv3 score of 7.7 to the flaw, reflecting its high severity due to the potential for remote code execution without authentication, though exploitation requires adjacency to the target network. The issue was internally discovered and reported by Yonghui Han of the Fortinet Product Security team, indicating that no external exploitation has been confirmed at the time of disclosure.
Fortinet has released a security advisory and urges customers to upgrade to FortiSwitchAXFixed version 1.0.2 or above to remediate the vulnerability. The advisory provides no workarounds, making patching the sole mitigation. Given the critical nature of network infrastructure devices and the ease of sending LLDP packets on local networks, administrators should prioritize the update to prevent potential compromise.
LLDP is a widely used vendor-neutral protocol for network devices to advertise their identity, capabilities, and neighbors on a local Ethernet segment. By exploiting this buffer overflow, an attacker could gain full control of the switch, potentially disrupting network operations, exfiltrating data, or pivoting to other devices on the same segment. The adjacency requirement limits the attack surface to internal networks, but once inside, the vulnerability becomes a serious threat.
This disclosure follows a pattern of vulnerabilities in network device firmware that arise from improper input validation in protocol implementations. Fortinet's internal discovery and prompt advisory demonstrate responsible disclosure practices, but the lack of a CVE identifier at publication may slow tracking by security teams. Customers should verify their firmware versions and apply the update as soon as possible to close this attack vector.