Fortinet Discloses Out-of-Bounds Write Vulnerability in FortiWeb CGI Daemon
Fortinet disclosed an out-of-bounds write vulnerability in the FortiWeb CGI daemon that could allow a remote privileged attacker to execute arbitrary code or commands via crafted HTTP requests.
Fortinet has disclosed a medium-severity out-of-bounds write vulnerability (CWE-787) in the FortiWeb CGI daemon, tracked as FG-IR-26-127. The flaw, which carries a CVSSv3 score of 6.7, could allow a remote privileged attacker to execute arbitrary code or commands by sending specially crafted HTTP requests to the administrative interface.
The vulnerability affects multiple versions of FortiWeb, including 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, and 7.4.0 through 7.4.11. FortiWeb 7.2 and 7.0 are not affected. Fortinet has released patches for all affected versions, urging customers to upgrade to FortiWeb 8.0.4, 7.6.7, or 7.4.12 respectively.
The issue was reported by Jason McFadyen of TrendAI Research under responsible disclosure. Fortinet acknowledged the researcher's contribution in the advisory. The advisory was initially published on April 15, 2026.
Out-of-bounds write vulnerabilities occur when a program writes data beyond the allocated memory buffer, potentially corrupting adjacent memory and enabling code execution. In this case, the flaw resides in the CGI daemon, which handles HTTP requests to the administrative interface. An attacker with privileged access could exploit this to gain full control of the affected device.
Fortinet recommends that customers apply the available patches as soon as possible. As a mitigation, administrators should restrict access to the administrative interface to trusted networks and users. No reports of active exploitation have been confirmed at this time.
This disclosure is part of Fortinet's ongoing commitment to securing its products. The company regularly publishes security advisories and encourages responsible disclosure of vulnerabilities. Customers are advised to monitor Fortinet's PSIRT page for updates.