Fortinet Fortiswitchmanager

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Fortinet Fortiswitchmanager.

By the Year

In 2026 there have been 1 vulnerability in Fortinet Fortiswitchmanager with an average score of 7.4 out of ten. Last year, in 2025 Fortiswitchmanager had 8 security vulnerabilities published. Right now, Fortiswitchmanager is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.43.

Year	Vulnerabilities	Average Score
2026	1	7.40
2025	8	6.97
2024	5	8.62
2023	3	5.03
2022	1	9.80

It may take a day or so for new Fortiswitchmanager vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Fortinet Fortiswitchmanager Security Vulnerabilities

FortiOS/FortiSwitchManager 6.4.0-7.6.3 Heap Overflow Exec via Packets
CVE-2025-25249 7.4 - High - January 13, 2026

A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets

Heap-based Buffer Overflow

Fortinet FortiOS 7.0-7.6 SAML Auth Bypass via Signature Verify Flaw
CVE-2025-59718 9.1 - Critical - December 09, 2025

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Improper Verification of Cryptographic Signature

FortiOS 7.4.0-7.4.3 SSL request reset (CWE-703)
CVE-2024-26008 5 - Medium - October 14, 2025

An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS version 7.4.0 through 7.4.3 and before 7.2.7, FortiProxy version 7.4.0 through 7.4.3 and before 7.2.9, FortiPAM before 1.2.0 and FortiSwitchManager version 7.2.0 through 7.2.3 and version 7.0.0 through 7.0.3 fgfm daemon may allow an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests.

Improper Check for Unusual or Exceptional Conditions

Fortinet FortiSRA/OS/etc Heap BF < 7.6.2 / 1.5.0 Priv Esc via HTTP
CVE-2025-22258 5.7 - Medium - October 14, 2025

A heap-based buffer overflow in Fortinet FortiSRA 1.5.0, 1.4.0 through 1.4.2, FortiPAM 1.5.0, 1.4.0 through 1.4.2, 1.3.0 through 1.3.1, 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy 7.6.0 through 7.6.1, 7.4.0 through 7.4.7, FortiOS 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.2 through 7.0.16, FortiSwitchManager 7.2.1 through 7.2.5 allows attackers to escalate their privilege via specially crafted http requests.

Heap-based Buffer Overflow

Weak auth in FortiPAM 1.01.5.0/ FortiSwitchManager 7.2.07.2.4 allows unauthorized code exec via craf
CVE-2025-49201 7.4 - High - October 14, 2025

A weak authentication vulnerability in Fortinet FortiPAM 1.5.0, FortiPAM 1.4.0 through 1.4.2, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests

1390

Auth Bypass via FGFM Path in FortiOS 6.4 and FortiProxy 7.4/7.2 (CVE-2024-26009)
CVE-2024-26009 8.1 - High - August 12, 2025

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.

Authentication Bypass Using an Alternate Path or Channel

Fortinet FortiProxy/FortiSwitchManager/FortiOS 7.x Auth Bypass: Admin Priv Access
CVE-2025-22252 7.2 - High - May 28, 2025

A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.

Missing Authentication for Critical Function

FortiOS/FortiProxy 7.x Admin Interface Buffer Underwrite (CVE-2023-25610)
CVE-2023-25610 - March 24, 2025

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

buffer underrun

Fortinet Forti* formatstring flaw (7.4.07.4.1/7.2.6) allows RCE
CVE-2023-40721 6.3 - Medium - February 11, 2025

A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute arbitrary code or commands via specially crafted requests.

Use of Externally-Controlled Format String

Fortinet FortiManager/FortiPAM/FortiProxy/FortiSwitchManager/FortiPortal/FortiOS: Missing Authentica
CVE-2024-26011 9.8 - Critical - November 12, 2024

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted packets.

Missing Authentication for Critical Function

Insufficient Session Expiration in FortiOS 7.2.5 GUI
CVE-2022-45862 8.8 - High - August 13, 2024

An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.

Insufficient Session Expiration

Fortinet FortiPAM 1.01.2 Stack-Based Buffer Overflow (CVE-2024-26010)
CVE-2024-26010 7.5 - High - June 11, 2024

A stack-based buffer overflow in Fortinet FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiWeb, FortiAuthenticator, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.1 through 7.0.3, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specially crafted packets.

Memory Corruption

Fortinet FortiProxy Format String CVE-2023-45583 (v7.2.0-7.2.5, v7.0.0-7.0.11)
CVE-2023-45583 7.2 - High - May 14, 2024

A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.5, 7.0.0 through 7.0.11, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 FortiPAM versions 1.1.0, 1.0.0 through 1.0.3 FortiOS versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15 FortiSwitchManager versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.2 allows attacker to execute unauthorized code or commands via specially crafted cli commands and http requests.

Use of Externally-Controlled Format String

FmtStr RCE in Fortinet FortiOS 7.0-7.4 Arbitrary Code Exec
CVE-2024-23113 9.8 - Critical - February 15, 2024

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

Use of Externally-Controlled Format String

FortiSwitchManager 7.07.2.2 Improper A/C: RO API Modifies
CVE-2023-36635 4.3 - Medium - September 07, 2023

An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2 7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API.

FortiOS 7.2.0-7.2.3/7.0.0-7.0.9/<6.4.12: Path Traversal Allowing Dir Delete
CVE-2022-42474 2.7 - Low - June 13, 2023

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.

Directory traversal

Fortinet FortiOS/Proxy/SwitchManager: Relative Path Traversal CVE-2022-41335
CVE-2022-41335 8.1 - High - February 16, 2023

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.10, FortiProxy version 7.2.0 through 7.2.1, 7.0.0 through 7.0.7 and before 2.0.10, FortiSwitchManager 7.2.0 and before 7.0.0 allows an authenticated attacker to read and write files on the underlying Linux system via crafted HTTP requests.

Directory traversal

Fortinet FortiOS/Proxy/SwitchMgr Auth Bypass v7.0.0-7.2.1 via alt path
CVE-2022-40684 9.8 - Critical - October 18, 2022

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

authentification

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fortinet Fortiswitchmanager or by Fortinet? Click the Watch button to subscribe.

Fortinet
Vendor

Fortinet Fortiswitchmanager
Product

Fortinet Fortiswitchmanager

Don't miss out!

By the Year

Recent Fortinet Fortiswitchmanager Security Vulnerabilities

FortiOS/FortiSwitchManager 6.4.0-7.6.3 Heap Overflow Exec via Packets CVE-2025-25249 7.4 - High - January 13, 2026

Fortinet FortiOS 7.0-7.6 SAML Auth Bypass via Signature Verify Flaw CVE-2025-59718 9.1 - Critical - December 09, 2025

FortiOS 7.4.0-7.4.3 SSL request reset (CWE-703) CVE-2024-26008 5 - Medium - October 14, 2025

Fortinet FortiSRA/OS/etc Heap BF < 7.6.2 / 1.5.0 Priv Esc via HTTP CVE-2025-22258 5.7 - Medium - October 14, 2025

Weak auth in FortiPAM 1.01.5.0/ FortiSwitchManager 7.2.07.2.4 allows unauthorized code exec via craf CVE-2025-49201 7.4 - High - October 14, 2025

Auth Bypass via FGFM Path in FortiOS 6.4 and FortiProxy 7.4/7.2 (CVE-2024-26009) CVE-2024-26009 8.1 - High - August 12, 2025

Fortinet FortiProxy/FortiSwitchManager/FortiOS 7.x Auth Bypass: Admin Priv Access CVE-2025-22252 7.2 - High - May 28, 2025

FortiOS/FortiProxy 7.x Admin Interface Buffer Underwrite (CVE-2023-25610) CVE-2023-25610 - March 24, 2025

Fortinet Forti* formatstring flaw (7.4.07.4.1/7.2.6) allows RCE CVE-2023-40721 6.3 - Medium - February 11, 2025

Fortinet FortiManager/FortiPAM/FortiProxy/FortiSwitchManager/FortiPortal/FortiOS: Missing Authentica CVE-2024-26011 9.8 - Critical - November 12, 2024

Insufficient Session Expiration in FortiOS 7.2.5 GUI CVE-2022-45862 8.8 - High - August 13, 2024

Fortinet FortiPAM 1.01.2 Stack-Based Buffer Overflow (CVE-2024-26010) CVE-2024-26010 7.5 - High - June 11, 2024

Fortinet FortiProxy Format String CVE-2023-45583 (v7.2.0-7.2.5, v7.0.0-7.0.11) CVE-2023-45583 7.2 - High - May 14, 2024

FmtStr RCE in Fortinet FortiOS 7.0-7.4 Arbitrary Code Exec CVE-2024-23113 9.8 - Critical - February 15, 2024

FortiSwitchManager 7.07.2.2 Improper A/C: RO API Modifies CVE-2023-36635 4.3 - Medium - September 07, 2023

FortiOS 7.2.0-7.2.3/7.0.0-7.0.9/<6.4.12: Path Traversal Allowing Dir Delete CVE-2022-42474 2.7 - Low - June 13, 2023

Fortinet FortiOS/Proxy/SwitchManager: Relative Path Traversal CVE-2022-41335 CVE-2022-41335 8.1 - High - February 16, 2023

Fortinet FortiOS/Proxy/SwitchMgr Auth Bypass v7.0.0-7.2.1 via alt path CVE-2022-40684 9.8 - Critical - October 18, 2022

Stay on top of Security Vulnerabilities

Fortinet Vendor

Fortinet FortiswitchmanagerProduct

FortiOS/FortiSwitchManager 6.4.0-7.6.3 Heap Overflow Exec via Packets
CVE-2025-25249 7.4 - High - January 13, 2026

Fortinet FortiOS 7.0-7.6 SAML Auth Bypass via Signature Verify Flaw
CVE-2025-59718 9.1 - Critical - December 09, 2025

FortiOS 7.4.0-7.4.3 SSL request reset (CWE-703)
CVE-2024-26008 5 - Medium - October 14, 2025

Fortinet FortiSRA/OS/etc Heap BF < 7.6.2 / 1.5.0 Priv Esc via HTTP
CVE-2025-22258 5.7 - Medium - October 14, 2025

Weak auth in FortiPAM 1.01.5.0/ FortiSwitchManager 7.2.07.2.4 allows unauthorized code exec via craf
CVE-2025-49201 7.4 - High - October 14, 2025

Auth Bypass via FGFM Path in FortiOS 6.4 and FortiProxy 7.4/7.2 (CVE-2024-26009)
CVE-2024-26009 8.1 - High - August 12, 2025

Fortinet FortiProxy/FortiSwitchManager/FortiOS 7.x Auth Bypass: Admin Priv Access
CVE-2025-22252 7.2 - High - May 28, 2025

FortiOS/FortiProxy 7.x Admin Interface Buffer Underwrite (CVE-2023-25610)
CVE-2023-25610 - March 24, 2025

Fortinet Forti* formatstring flaw (7.4.07.4.1/7.2.6) allows RCE
CVE-2023-40721 6.3 - Medium - February 11, 2025

Fortinet FortiManager/FortiPAM/FortiProxy/FortiSwitchManager/FortiPortal/FortiOS: Missing Authentica
CVE-2024-26011 9.8 - Critical - November 12, 2024

Insufficient Session Expiration in FortiOS 7.2.5 GUI
CVE-2022-45862 8.8 - High - August 13, 2024

Fortinet FortiPAM 1.01.2 Stack-Based Buffer Overflow (CVE-2024-26010)
CVE-2024-26010 7.5 - High - June 11, 2024

Fortinet FortiProxy Format String CVE-2023-45583 (v7.2.0-7.2.5, v7.0.0-7.0.11)
CVE-2023-45583 7.2 - High - May 14, 2024

FmtStr RCE in Fortinet FortiOS 7.0-7.4 Arbitrary Code Exec
CVE-2024-23113 9.8 - Critical - February 15, 2024

FortiSwitchManager 7.07.2.2 Improper A/C: RO API Modifies
CVE-2023-36635 4.3 - Medium - September 07, 2023

FortiOS 7.2.0-7.2.3/7.0.0-7.0.9/<6.4.12: Path Traversal Allowing Dir Delete
CVE-2022-42474 2.7 - Low - June 13, 2023

Fortinet FortiOS/Proxy/SwitchManager: Relative Path Traversal CVE-2022-41335
CVE-2022-41335 8.1 - High - February 16, 2023

Fortinet FortiOS/Proxy/SwitchMgr Auth Bypass v7.0.0-7.2.1 via alt path
CVE-2022-40684 9.8 - Critical - October 18, 2022

Fortinet
Vendor

Fortinet Fortiswitchmanager
Product