Fortinet's other products take their turn: FortiWeb, FortiManager, FortiClient EMS

Fortinet’s FortiOS SSL-VPN has its own long-running auth-bypass cycle, but in 2025 and 2026 the rest of the Fortinet lineup took its turn in the catalog: FortiWeb, FortiManager, and FortiClient EMS, with SQL injection, path traversal, authentication bypass, and a format-string RCE among them. Same vendor, same profile, internet-facing perimeter and management products that attackers hit fast.

FortiWeb

FortiWeb, Fortinet’s web application firewall, accumulated several exploited bugs: CVE-2025-25257 (a SQL injection enabling code execution), CVE-2025-64446 (a path traversal abused to create administrative accounts and take over the device), and CVE-2025-58034 (an OS command injection). A WAF is supposed to protect web apps; bugs that let attackers take over the WAF itself invert that, and these saw active exploitation.

FortiManager and multi-product

CVE-2025-32756 is a format-string remote code execution affecting multiple Fortinet products (FortiManager among them), the kind of bug that gives code execution on the appliance that centrally manages your Fortinet fleet, a high-leverage target. CVE-2025-59718 and CVE-2026-24858 likewise span multiple products. FortiManager controls policy across many firewalls, so RCE there is a path to the whole managed estate, the same management-plane concern as Cisco’s controllers.

FortiClient EMS

CVE-2026-21643 and CVE-2026-35616 are recent flaws in FortiClient EMS, the Enterprise Management Server for FortiClient endpoints, the same product as the SQL-injection-to-SYSTEM CVE-2023-48788. EMS manages security agents across the fleet, so it’s another privileged management server worth defending as tier-zero.

What to do

• Patch all Fortinet products, not just FortiOS. FortiWeb, FortiManager, FortiClient EMS, and the rest need the same emergency-patch discipline as the firewalls. Track Fortinet PSIRT advisories across the whole product set.
• Get management and admin interfaces off the internet. FortiWeb’s management, FortiManager, and FortiClient EMS should sit on a management network, not face the world.
• Treat the management products (FortiManager, FortiClient EMS) as tier-zero. RCE on the box that manages your firewalls or endpoint agents is a path to the whole fleet.
• After auth-bypass/path-traversal bugs, audit for attacker persistence. CVE-2025-64446 was used to create admin accounts; as with the FortiOS 40684 lesson, patch and then hunt for rogue accounts and config changes the patch doesn’t remove.
• Assume compromise on exposed, unpatched instances and rotate credentials the devices held.

The reframe is to widen your Fortinet patching beyond the headline FortiOS bugs to the whole product line, because the WAF, the central manager, and the endpoint-management server are all internet-adjacent, privileged, and actively targeted. Patch them all on the vendor’s clock, keep their management planes off the open network, and audit for the persistence these auth-bypass and path-traversal bugs enable. We track the Fortinet entries across products, because the attackers don’t limit themselves to FortiOS.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• Fortinet PSIRT advisories
• NVD CVE-2025-25257 (FortiWeb SQL injection) — 2025
• NVD CVE-2025-64446 (FortiWeb path traversal) — 2025
• NVD CVE-2025-32756 (Fortinet format-string RCE) — 2025