- 6/2026
- Critical
Fortinet has released security updates to fix several vulnerabilities across multiple Fortinet products.
The addressed vulnerabilities could allow the attacker to obtain sensitive information, gain elevated privileges, perform denial of service attacks, conduct SQL injection attacks, delete arbitrary files, and abuse internal services via serverside request forgery attacks, or execute arbitrary commands/code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. FortiSIEM Unauthenticated Remote Command Injection (CVE-2025-64155):
- CVSS: 9.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. FortiFone Unauthenticated Access to Local Configuration (CVE-2025-47855):
- CVSS: 9.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
Sample of the affected products:
- FortiSIEM.
- FortiFone.
- FortiSandbox.
- FortiOS.
- FortiSwitchManager.
- FortiClientEMS.
Vulnerabilities
- CVE-2025-64155
- CVE-2025-47855
- CVE-2025-67685
- CVE-2025-25249
- CVE-2025-59922
- CVE-2025-58693
- CVE-2022-23439
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.