// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-15DTG 0600Z
Endpoint Security Vendor

Fortinet

15 PUBLIC SECURITY EVENTS ON FILE · 2023-12-26 — 2026-05-30

Publicly-known security events concerning Fortinet — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Fortinet sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Fortinet competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 6 incidents · 6 vuln disclosures · 2 research pocs · 1 vendor announcement.

2026-05-30
incident
Threat Actor Claims Fortinet Data Breach on Dark WebFortinet Alleged Data Breach
A threat actor on the dark web has claimed a data breach involving Fortinet, a major cybersecurity vendor. No technical details, proof, or official confirmation have been provided. The claim is being treated as an allegation pending verification.
2026-05-28
incident
FortiClient EMS CVE-2026-35616 Exploited to Deploy EKZ InfostealerCVE-2026-35616
A critical remote code execution vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server (EMS) is being actively exploited in the wild. Attackers are leveraging the flaw to deploy the EKZ Infostealer malware via FortiClient's own VPN scripting workflows, targeting managed endpoints. The vulnerability allows unauthenticated remote code execution, and patches have been available since April.
2026-05-18
incident
Fortinet Confirms Limited Customer Data Exposure via Third-Party Cloud File StorageFortinet Customer Data Breach via Third-Party Cloud Storage
Fortinet confirmed unauthorized access to customer data stored in a third-party cloud-based file sharing environment. The breach did not involve encryption, ransomware, or compromise of Fortinet's corporate network, products, or source code. Exposed customer information could be used for phishing, social engineering, or impersonation attacks against affected enterprises.
2026-04-14
vuln disclosure
CVE-2026-21742: Fortinet FortiSOAR Cleartext Password DisclosureCVE-2026-21742
CVE-2026-21742 is an information disclosure vulnerability in Fortinet FortiSOAR that exposes cleartext passwords in API responses for Secure Message Exchange and Radius queries. An authenticated attacker with low privileges can view these credentials, potentially leading to credential theft and unauthorized access to integrated systems. The flaw affects multiple versions of FortiSOAR PaaS and on-premise deployments.
2026-02-04
incident
Interlock Ransomware Uses Hotta Killer Tool with CVE-2025-61155 to Disable EDR/AVCVE-2025-61155
The Interlock ransomware group deployed a custom evasion tool called Hotta Killer that exploits a zero-day vulnerability (CVE-2025-61155) in a gaming anti-cheat driver to terminate endpoint security processes. The tool uses a BYOVD technique to gain kernel-level access and disable EDR and AV before encrypting systems. This incident highlights a novel attack chain combining social engineering, lateral movement, and defense evasion targeting education sector organizations.
2025-11-14
vuln disclosure
Fortinet Discloses Actively Exploited Zero-Day in FortiWeb WAFCVE-2025-64446
Fortinet confirmed a critical path confusion vulnerability (CVE-2025-64446) in FortiWeb's GUI component was silently patched after being exploited in the wild. Unauthenticated attackers can execute administrative commands via crafted HTTP/HTTPS requests, creating new admin accounts on exposed devices. The flaw affects multiple FortiWeb versions and has been added to CISA's Known Exploited Vulnerabilities catalog.
2025-05-14
vuln disclosure
Fortinet and Ivanti Disclose Zero-Day Vulnerabilities Exploited in the WildCVE-2025-32756
Fortinet disclosed CVE-2025-32756, a critical stack-based overflow in multiple products allowing unauthenticated RCE, exploited in the wild on FortiVoice. Ivanti disclosed CVE-2025-4427 and CVE-2025-4428 in Endpoint Manager, which when chained enable unauthenticated RCE, with limited exploitation observed.
2025-02-07
research poc
Dark Web Actor Claims to Sell EDR Evasion ToolUnnamed EDR Evasion Tool
A threat actor on the dark web claims to sell a tool that bypasses EDR solutions using advanced cryptographic techniques. The tool reportedly targets CrowdStrike, Sophos, SentinelOne, and FortiClient. This highlights the growing black market for EDR evasion tools.
2025-01-02
incident
Fortinet Suffers Third-Party Cloud Storage Breach Exposing Customer FilesFortinet Cloud Breach September 2024
In September 2024, attackers gained unauthorized access to a third-party cloud file storage system used by Fortinet, compromising a limited number of customer files. The incident adds to a series of breaches at Fortinet, including a 2023 VPN credential leak and a 2024 FortiGate firewall exploitation, raising concerns about its security posture and reliance on external cloud providers.
2024-10-24
vuln disclosure
FortiManager Zero-Day Exploitation (CVE-2024-47575) Allows Unauthorized Code ExecutionCVE-2024-47575
Mandiant and Fortinet investigated mass exploitation of FortiManager appliances via CVE-2024-47575, a zero-day vulnerability allowing an unauthorized FortiManager device to execute arbitrary code on vulnerable FortiManager appliances. The threat actor UNC5820 exploited this flaw as early as June 2024 to stage and exfiltrate configuration data of managed FortiGate devices, including hashed passwords. No lateral movement or further compromise was observed at the time of analysis.
2024-09-12
incident
Fortinet Confirms Data Breach Affecting Customer InformationFortinet Azure SharePoint Data Breach 2025
Fortinet disclosed a data breach where an attacker accessed a limited number of files on a third-party cloud-based shared file drive, impacting less than 0.3% of customers. The hacker, 'Fortibitch', leaked 440 GB of data after a ransom demand was refused. Fortinet states operations, products, and services were unaffected, and no malicious customer activity has been observed.
2024-06-12
vendor announcement
Fortinet Patches Multiple Vulnerabilities Including Code Execution in FortiOSCVE-2024-23110
Fortinet released patches for multiple vulnerabilities in FortiOS and other products, including a high-severity stack-based buffer overflow (CVE-2024-23110) that could allow authenticated attackers to execute unauthorized code via crafted CLI arguments. Additional medium-severity flaws could lead to remote code execution, JavaScript injection, or backup decryption. No active exploitation was reported, but Fortinet products have been targeted in the past.
2024-03-22
vuln disclosure
FortiClientEMS SQL Injection in DAS Component Allows Remote Code ExecutionCVE-2023-48788
Fortinet disclosed CVE-2023-48788, a critical SQL injection vulnerability in the FortiClient Enterprise Management Server (EMS) DAS component. The flaw allows unauthenticated remote attackers to execute arbitrary code via crafted requests. Active exploitation has been observed in the wild, with attackers using xp_cmdshell to run commands and download malware.
2024-02-05
vuln disclosure
Fortinet FortiSIEM OS Command Injection Vulnerability (CVE-2024-23108)CVE-2024-23108
A critical OS command injection vulnerability (CVE-2024-23108) in Fortinet FortiSIEM allows unauthenticated remote attackers to execute arbitrary commands via crafted API requests. Public proof-of-concept exploits are available, and the vulnerability has a CVSS score of 10.0. Fortinet has released patches in versions 6.4.3, 6.5.2, 6.6.4, 6.7.6, and 7.0.1 or later.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Fortinet ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →