Fortinet Discloses Stack-Based Buffer Overflow in FortiManager fgtupdates Service (FG-IR-26-098)
Fortinet has disclosed a stack-based buffer overflow vulnerability in the FortiManager fgtupdates service that could allow remote unauthenticated attackers to execute unauthorized commands.
Fortinet has disclosed a stack-based buffer overflow vulnerability (CWE-121) in the FortiManager fgtupdates service, tracked as FG-IR-26-098. The flaw, which carries a CVSSv3 score of 7.0, could allow a remote unauthenticated attacker to execute unauthorized commands via specially crafted requests, provided the service is enabled. However, successful exploitation depends on the attacker's ability to bypass stack protection mechanisms.
The vulnerability affects multiple FortiManager versions, including 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, and all versions of 6.4. FortiManager 7.6 is not affected. Fortinet has released patches for the affected branches: administrators should upgrade to FortiManager 7.4.3 or above, 7.2.11 or above, or migrate from the 6.4 branch to a fixed release.
The fgtupdates service is used by FortiManager to handle firmware and content updates for managed Fortinet devices. When enabled, it listens for incoming connections, making it a potential attack surface for remote exploitation. The stack-based buffer overflow occurs when the service processes malformed requests, potentially overwriting critical memory regions and allowing arbitrary code execution.
Fortinet credited catalpa from Dbappsecurity Co., Ltd. for reporting the vulnerability under responsible disclosure. The advisory was published on March 10, 2026, with no indication of active exploitation in the wild at the time of disclosure.
This disclosure follows a pattern of critical vulnerabilities in network management appliances, which are increasingly targeted by attackers seeking to compromise enterprise infrastructure. FortiManager is widely deployed in large organizations for centralized management of Fortinet security devices, making timely patching critical.
Administrators are advised to apply the available patches immediately and to ensure that the fgtupdates service is only enabled when necessary. As a best practice, network management interfaces should be restricted to trusted IP addresses and isolated from general network traffic to reduce exposure to such vulnerabilities.