Privilege escalation using undocumented CLI command
Monitor6.4FG-IR-26-081Mar 10, 2026
Fortinet
IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
A privilege escalation vulnerability exists in FortiAnalyzer and FortiManager that allows users with high-level administrative CLI access to execute an undocumented command that bypasses privilege restrictions, resulting in escalation to root-level access. The vulnerability affects versions 6.4 through 7.6.3 across both on-premises and Cloud deployments. Fortinet has released patched versions for the 7.x product line and recommends migration for end-of-life 6.4 installations.
What this means
What could happen
An attacker with local or administrative access to a FortiAnalyzer or FortiManager console could run an undocumented CLI command to escalate privileges and gain full control of the system, potentially affecting all devices and logs that this management platform monitors.
Who's at risk
Organizations using FortiAnalyzer or FortiManager (on-premises or Cloud versions) for centralized security monitoring and device management. This affects network administrators and security teams who rely on these platforms to manage Fortinet firewalls and security appliances across their network.
How it could be exploited
An attacker with high-level credentials (administrative or engineering access) to the FortiAnalyzer or FortiManager CLI could execute an undocumented command that bypasses privilege checks, allowing them to escalate to root-level access. This could be done during legitimate access or after compromising an admin account.
Prerequisites
- High-privilege CLI access (administrative user credentials)
- Local or remote access to the management console's CLI interface
- Knowledge of the undocumented CLI command
Low attack complexityRequires high-privilege credentialsAffects centralized management system that controls multiple security devicesMultiple major version lines affected
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (20)
20 with fix
ProductAffected VersionsFix Status
FortiAnalyzer7.6.0 - 7.6.37.6.4+
FortiAnalyzer7.4.0 - 7.4.77.4.8+
FortiAnalyzer7.2.0 - 7.2.107.2.11+
FortiAnalyzer7.0.0 - 7.0.147.0.15+
FortiAnalyzer6.4 all versionsMigrate to fixed release
Remediation & Mitigation
0/5
Do now
0/2FortiAnalyzer
WORKAROUNDRestrict CLI access to FortiAnalyzer and FortiManager to trusted administrative users and networks only
All products
HARDENINGReview administrative user accounts and remove or disable any that are not actively used
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
FortiAnalyzer
HOTFIXUpdate FortiAnalyzer to version 7.6.4 or later, 7.4.8 or later, 7.2.11 or later, or 7.0.15 or later depending on your current version
HOTFIXFor FortiAnalyzer or FortiManager 6.4 (all versions), plan migration to a supported fixed version (7.0.15 or later)
FortiManager
HOTFIXUpdate FortiManager to version 7.6.4 or later, 7.4.8 or later, 7.2.11 or later, or 7.0.15 or later depending on your current version
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bf60c24b-ecf1-461c-af4c-e120954a9167Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.