VYPR
patchPublished Jul 14, 2026· 1 source

FortiSIEM Agent Vulnerability Allows Local Network Code Execution

A critical vulnerability in Fortinet's FortiSIEM Windows Agent could permit attackers on the same local network to execute arbitrary code by spoofing the supervisor's hostname.

Fortinet has disclosed a critical vulnerability, identified as FG-IR-26-155, affecting its FortiSIEM Windows Agent. The flaw, categorized under Improper Restriction of Communication Channel to Intended Endpoints (CWE-923), poses a significant risk to organizations utilizing the affected product.

An attacker with local network access can exploit this vulnerability by spoofing the supervisor's hostname. This attack vector is specifically enabled when the 'Supers Override' feature is configured on the Windows agent. By manipulating the communication channel, an attacker can trick the agent into connecting to a malicious server, potentially leading to the execution of arbitrary code on the compromised system.

The vulnerability carries a CVSSv3 score of 6.9, indicating a high severity. This score reflects the potential for significant impact, including unauthorized code execution and system compromise, within a localized network environment. The exploitability relies on the attacker being present on the same network segment as the vulnerable FortiSIEM Windows Agent.

Fortinet's advisory details specific affected versions. FortiSIEM Windows Agent versions 7.4.0 through 7.4.1 are impacted by this vulnerability. Users of these versions are strongly advised to upgrade to version 7.4.2 or a later release to remediate the issue. Notably, other listed versions, including 7.5, 7.3, 7.2, 7.1, 5.0, 4.4, 4.3, and 4.2, are reported as not affected.

As a workaround, Fortinet suggests enabling the 'Verify Host TLS/SSL certificate' option during the FortiSIEM Windows agent installation. This measure can help mitigate the risk by ensuring that the agent only communicates with trusted and verified supervisor servers, thereby preventing spoofing attempts.

The vulnerability was responsibly disclosed by Nicola Scremin, who is acknowledged by Fortinet for their contribution to enhancing product security. This disclosure highlights the ongoing efforts within the cybersecurity community to identify and address potential threats before they can be widely exploited.

This incident underscores the importance of regularly updating security software and applying patches promptly, especially for products that manage critical network monitoring and security information. Organizations using FortiSIEM should prioritize the update to version 7.4.2 or newer to protect their environments from this specific threat and maintain the integrity of their security monitoring infrastructure.

Synthesized by Vypr AI