Critical Remote Code Execution in Fortinet FortiWeb (CVE‑2026‑40688) – Out‑Of‑Bounds Write Vulnerability
What It Is – Fortinet FortiWeb’s cat_cgi_paths module contains an out‑of‑bounds write bug that allows an authenticated remote attacker to execute arbitrary code with root privileges.
Exploitability – The flaw requires valid credentials but can be triggered over the network (AV:N). A proof‑of‑concept has been published by the Zero Day Initiative; the vendor has released a patch. CVSS 8.8 (Critical).
Affected Products – FortiWeb Web Application Firewall (all supported versions prior to the April 2026 security update).
TPRM Impact – FortiWeb is widely deployed as a front‑line WAF for SaaS platforms, e‑commerce sites, and government portals. A compromised WAF can expose downstream applications, leak sensitive data, or be leveraged for broader supply‑chain attacks.
Recommended Actions –
- Verify that the FortiWeb instance is running a version ≥ the April 2026 patch (FG‑IR‑26‑127).
- If patching is not immediately possible, restrict administrative access to trusted IP ranges and enforce multi‑factor authentication.
- Conduct a rapid inventory of all third‑party services that rely on FortiWeb for traffic inspection; prioritize re‑assessment of any that handle regulated data.
- Monitor FortiWeb logs for anomalous
cat_cgi_pathsrequests and enable FortiGuard IPS signatures for CVE‑2026‑40688.