VYPR
advisoryPublished Jul 14, 2026· 1 source

Fortinet SSL-VPN Flaw Allows Code Execution via Reflected XSS

Fortinet has issued a security advisory for a reflected Cross-Site Scripting (XSS) vulnerability in its SSL-VPN feature, potentially allowing authenticated attackers to execute arbitrary code.

Fortinet has released security advisory FG-IR-26-150 detailing a reflected Cross-Site Scripting (XSS) vulnerability affecting multiple products, including FortiOS, FortiProxy, FortiPAM, and FortiSwitch-Manager Agentless.

The vulnerability, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), carries a CVSSv3 score of 6.1. It arises from insufficient input validation within the web page generation process of the SSL-VPN feature. This flaw enables an authenticated remote attacker to execute arbitrary code or commands by crafting and sending malicious requests to vulnerable systems.

The advisory provides a detailed breakdown of affected versions across various Fortinet products. For FortiOS, versions 7.6.0 through 7.6.6 and all versions of 7.4 and 7.2 are impacted, with recommendations to upgrade to 7.6.7 or above, or migrate to a fixed release for older branches. FortiPAM versions 1.8.0 and earlier are also affected, requiring upgrades to 1.8.1 or migration for older lines. FortiProxy versions 7.4.0 through 7.4.3 and 7.2.0 through 7.2.9 are vulnerable, with patches available in 7.4.4 and 7.2.10 respectively.

Fortinet emphasizes that this vulnerability specifically impacts the Agentless SSL-VPN functionality. If this feature is not enabled on a system, users are not exposed to this particular risk. The company also offers an upgrade tool to assist customers in navigating the patching process.

To mitigate the risk, Fortinet has also made a virtual patch available. This virtual patch, named "FG-VD-60129.0day," is included in FMWP database update 26.021. This offers an interim solution for organizations unable to immediately apply the full firmware updates.

Fortinet credited The UK's National Cyber Security Centre (NCSC) for responsibly reporting the vulnerability. The advisory was initially published on July 14, 2026, marking the start of the public disclosure timeline.

This XSS vulnerability underscores the ongoing threat posed by improper input validation in web-facing applications. Attackers continue to leverage such flaws to gain initial access or escalate privileges within targeted networks, making timely patching and security updates critical for maintaining a robust defense posture.

Synthesized by Vypr AI