Multiple Command Injection Vulnerabilities in Fortinet Products

Multiple Command Injection Vulnerabilities in Fortinet Products

First seen 13 May 2026, 03:24 UTC fortiguard.fortinet.comwww.fortiguard.com 79% similarity 67.5

Article Content

Browse articles
ThreatCluster

Fortinet has disclosed two critical vulnerabilities affecting its FortiAP and FortiMail products. The first, an OS Command Injection vulnerability in FortiAP, allows authenticated attackers to execute unauthorized commands via crafted CLI requests. The second, an SQL Injection vulnerability in FortiMail, similarly permits execution of unauthorized commands through specially crafted HTTP or HTTPS requests. Both vulnerabilities are classified under CWE-78 and CWE-89 respectively. They potentially allow privileged attackers to compromise systems if exploited. The vulnerabilities were initially published on May 12, 2026, and are currently under investigation. Users are advised to monitor for updates and apply patches as they become available.

Key Points: • Fortinet disclosed OS Command Injection and SQL Injection vulnerabilities on May 12, 2026. • Authenticated attackers can exploit these vulnerabilities to execute unauthorized commands. • Affected products include FortiAP and FortiMail, with potential for significant system compromise.

ThreatCluster AI

Timeline

2026-05-12
Initial publication of vulnerabilities
Fortinet published advisories for OS Command Injection in FortiAP and SQL Injection in FortiMail, detailing the risks and methods of exploitation.
FortiGuard
2026-05-12
OS Command Injection vulnerability disclosed
An OS Command Injection vulnerability in FortiAP and FortiAP-W2 CLI was reported, allowing execution of unauthorized commands.
FortiGuard
2026-05-12
SQL Injection vulnerability disclosed
An SQL Injection vulnerability in FortiMail was reported, enabling attackers to execute unauthorized commands via crafted requests.
FortiGuard

Community

Browse all →