Buffer Overflow in LLDP OUI field

Plan Patch7.7FG-IR-26-086Mar 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability in the LLDP OUI field processing of FortiSwitchAXFixed allows an unauthenticated attacker on the same local network segment to execute arbitrary code on the switch by sending a crafted LLDP packet. The vulnerability exists in versions 1.0.0 and 1.0.1.

What this means

What could happen

An attacker on your local network could send a malicious LLDP packet to crash the switch or run arbitrary code on it, potentially disrupting network connectivity to critical control systems or allowing them to intercept traffic between your devices.

Who's at risk

Any organization using FortiSwitchAXFixed (versions 1.0.0 or 1.0.1) in their network infrastructure. This is particularly critical for water authorities and utilities that rely on managed switches for network connectivity between control systems, SCADA networks, and supervisory devices.

How it could be exploited

An attacker on your local network (same broadcast domain) crafts a malicious LLDP packet with an oversized OUI field and sends it to the FortiSwitchAXFixed. The buffer overflow allows the attacker to overwrite memory and execute arbitrary code on the switch without needing any credentials.

Prerequisites

Attacker must be on the same local network segment (adjacent network)
No credentials or authentication required
LLDP protocol must be enabled on the switch (typically default)

remotely exploitable from adjacent networkno authentication requiredlow complexityaffects network infrastructure critical to OT operationsbuffer overflow allows code execution

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

FortiSwitchAXFixed1.0.0 - 1.0.11.0.2+

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDisable LLDP protocol on the switch if not required for network discovery

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FortiSwitchAXFixed to version 1.0.2 or later

Long-term hardening

0/1

HARDENINGRestrict access to the switch management interface and trusted network segments using network segmentation or firewall rules

CVEs (1)

CVE-2026-22627

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bf9496fd-eb00-4de9-8d54-e17c25f18a7a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.