Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities were disclosed in Fortinet products, including unauthenticated SQL injection and RCE vectors in FortiClientEMS and FortiSandbox, an LDAP authentication bypass in FortiOS fnbamd, and several lower-severity issues across FortiClient, FortiGate, FortiAuthenticator, and FortiOS (each with CVE identifiers). Successful exploitation of the most severe flaws could allow arbitrary code execution in the context of service accounts, potentially enabling installation of programs, data theft or modification, and creation of privileged accounts depending on service privileges.