CVE-2026-23573
FortiOS Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-23573 is a Cross-Site Scripting (XSS) vulnerability in Fortinet's SSL-VPN Agentless component affecting FortiOS, FortiProxy, and FortiPAM. It was disclosed on July 14, 2026, via Fortinet's PSIRT advisory (FG-IR-26-150). Affected versions include FortiOS 7.6.0–7.6.6, FortiOS 7.4 and 7.2 (all versions), FortiPAM 1.0–1.8.0, and FortiProxy 7.4.0–7.4.3 and 7.2.0–7.2.9. The vulnerability carries a CVSS v3.1 base score of 6.1 (Medium) and was reported to Fortinet by the UK's National Cyber Security Centre (NCSC) under responsible disclosure (FortiGuard Advisory).

Détails techniques

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting) and resides specifically in the Agentless SSL-VPN component of the affected Fortinet products. An authenticated remote attacker can send crafted HTTP requests that inject malicious scripts into web pages generated by the SSL-VPN interface, potentially leading to code or command execution in the context of a victim's browser session. Exploitation requires user interaction (e.g., a victim clicking a malicious link or visiting a crafted page), and the vulnerability only has impact when the Agentless SSL-VPN feature is enabled (FortiGuard Advisory).

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary code or commands in the context of another user's browser session via reflected XSS, resulting in low confidentiality and integrity impacts with no direct availability impact. The scope is changed (S:C), meaning the attack can affect resources beyond the vulnerable component itself, such as session tokens or credentials of other authenticated users. If the Agentless SSL-VPN feature is not enabled, there is no impact (FortiGuard Advisory).

Étapes d’exploitation

  1. Identify target: Confirm the target Fortinet device (FortiOS, FortiProxy, or FortiPAM) is running a vulnerable version with the Agentless SSL-VPN feature enabled and accessible over the network.
  2. Authenticate: Obtain valid credentials for the target system, as exploitation requires an authenticated session.
  3. Craft malicious request: Construct an HTTP request containing a malicious XSS payload targeting the SSL-VPN web page generation component (e.g., injecting a <script> tag or event handler into a vulnerable input parameter processed by the Agentless SSL-VPN interface).
  4. Deliver payload: Trick a victim user (e.g., an administrator) into clicking a crafted link or visiting a page that triggers the reflected XSS payload in their browser session.
  5. Achieve objective: The injected script executes in the victim's browser context, potentially stealing session cookies, credentials, or performing actions on behalf of the victim user (FortiGuard Advisory).

Indicateurs de compromis

  • Network: Unusual HTTP requests to SSL-VPN endpoints containing encoded or obfuscated script tags (e.g., <script>, javascript:, onerror=, onload=) in query parameters or form fields; unexpected outbound connections from client browsers to unknown external hosts after interacting with the SSL-VPN portal.
  • Logs: Web server or FortiOS access logs showing requests to Agentless SSL-VPN URLs with anomalous parameter values containing HTML/JavaScript injection patterns; repeated requests from a single authenticated user with varying payloads.
  • File System: No specific file artifacts expected for reflected XSS; however, monitor for unexpected configuration changes or new administrative accounts created following a successful session hijack.
  • Process/Session: Unexpected administrative actions (configuration changes, new user creation) performed under legitimate user accounts that may indicate session hijacking following XSS exploitation (FortiGuard Advisory).

Atténuation et solutions de contournement

Fortinet has released patched versions: FortiOS 7.6.7 or above (for 7.6.x users), FortiPAM 1.8.1 or above (for 1.8.0 users), FortiProxy 7.4.4 or above (for 7.4.x users), and FortiProxy 7.2.10 or above (for 7.2.x users). Users on FortiOS 7.4 or 7.2 (all versions) and FortiPAM versions prior to 1.8 should migrate to a fixed release. As a workaround, disabling the Agentless SSL-VPN feature entirely eliminates the attack surface, as the vulnerability only affects this specific component. A virtual patch named FG-VD-60129.0day is also available in FMWP database update 26.021 for environments that cannot immediately upgrade (FortiGuard Advisory).

Réactions de la communauté

The vulnerability was reported to Fortinet by the UK's National Cyber Security Centre (NCSC) under responsible disclosure, indicating coordinated handling prior to public release. Security news outlets such as CyberSecurityNews covered the disclosure as part of a broader Fortinet patch release addressing seven vulnerabilities across FortiOS, FortiProxy, FortiPAM, and FortiSandbox (CyberSecurityNews). No significant independent researcher commentary or social media controversy has been observed at this time.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté FortiOS Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-59837MEDIUM6.6
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NonOuiJul 14, 2026
CVE-2026-23573MEDIUM6.1
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NonOuiJul 14, 2026
CVE-2026-59839MEDIUM5.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NonOuiJul 14, 2026
CVE-2026-59840MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NonOuiJul 14, 2026
CVE-2025-62826MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NonOuiJul 14, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités