Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

High Severity Vulnerabilities in Fortinet Products

16 February 2026

Fortinet has released software updates addressing multiple vulnerabilities in FortiSandbox and FortiOS. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

Fortinet has released software updates addressing vulnerabilities in FortiSandbox (CVE-2025-52436) and FortiOS (CVE-2026-22153).

Impact

Successful exploitation of the vulnerabilities could lead to the following:

  • CVE-2025-52436: Successful exploitation of this cross-site scripting vulnerability could allow an unauthenticated attacker to execute arbitrary commands via crafted requests.

  • CVE-2026-22153: Successful exploitation of this authentication bypass vulnerability could allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, when the remote LDAP server is configured in a specific way. This could allow attackers to gain unauthorised access to network resources without valid credentials.

Affected products

The following product versions are affected by the vulnerabilities.

For CVE-2025-52436:

  • FortiSandbox 5.0.0 through 5.0.1

  • FortiSandbox 4.4.0 through 4.4.7

  • All versions of FortiSandbox 4.2 

  • All versions of FortiSandbox 4.0

For CVE-2026-22153:

  • FortiOS 7.6.0 through 7.6.4

Recommendation 

Users and administrators of affected products are advised to update to the latest versions immediately. For FortiSandbox 4.0 and 4.2, migrate to a fixed release.

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-093

https://fortiguard.fortinet.com/psirt/FG-IR-25-1052

https://nvd.nist.gov/vuln/detail/CVE-2025-52436

https://nvd.nist.gov/vuln/detail/CVE-2026-22153

Back to top