FortiOS & FortiSwitchManager RCE Vulnerability Explained

Fortinet recently disclosed a critical heap-based buffer overflow vulnerability (CWE-122) affecting the cw_acd daemon in FortiOS and FortiSwitchManager.

This flaw enables a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted requests over the network.

Organizations relying on Fortinet’s firewalls, secure access service edge (SASE) solutions, and switch management tools face high risk, especially in environments with exposed fabric interfaces.

Discovered internally by Fortinet Product Security Team member Gwendal Guégniaud, the vulnerability was published on January 13, 2026. While no CVE identifier has been assigned yet, Fortinet urges immediate patching due to the risk of full-system compromise without authentication.

Affected Versions and Remediation

Multiple FortiOS branches, FortiSASE releases, and FortiSwitchManager versions are impacted. Administrators should verify their deployments and follow the recommended upgrade paths using Fortinet’s upgrade tool.

Workarounds

In the absence of patches, Fortinet recommends two mitigations. First, disable “fabric” access on interfaces:

textconfig system interface
edit "port1"
set allowaccess ssh https  # Remove 'fabric'
next
end

Second, block CAPWAP-CONTROL traffic (UDP ports 5246-5249) via local-in policies, allowing only trusted sources. Define custom services, address groups, and policies to permit from approved IPs while denying others.

Fortinet advises prioritizing upgrades, monitoring logs for anomalous cw_acd activity, and segmenting management interfaces. This vulnerability underscores the ongoing need for vigilant patch management in enterprise networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.