CERT-In Issues Critical Advisory for FortiOS & FortiProxy: A Deep Technical Analysis
On May 28, 2026, the Indian Computer Emergency Response Team issued a critical severity advisory addressing multiple vulnerabilities in Fortinet FortiOS and FortiProxy. With over 5,732 FortiGate firewalls deployed across 1,000+ organizations, here is a deep technical breakdown of what this means and what you need to do.
Understanding the Vulnerability
CERT-In has flagged multiple stack-based buffer overflow vulnerabilities in FortiOS and FortiProxy that could allow an unauthenticated remote attacker to execute arbitrary code. This is about as serious as it gets. An unauthenticated remote code execution vulnerability means an attacker needs no credentials, no internal network access, and no prior foothold. They can exploit this directly over the internet if management interfaces are exposed.
The vulnerabilities affect the FGFM protocol and administrative interfaces. Proof-of-concept code has been observed in the wild, meaning attackers have already weaponized these exploits.
Affected Versions
FortiOS
- FortiOS 7.4.x below 7.4.5
- FortiOS 7.2.x below 7.2.9
- FortiOS 7.0.x below 7.0.15
- FortiOS 6.4.x below 6.4.15
FortiProxy
- FortiProxy 7.4.x below 7.4.3
- FortiProxy 7.2.x below 7.2.9
- FortiProxy 7.0.x below 7.0.12
If you are running any of these, consider your environment at HIGH RISK until patched.
Technical Breakdown
The core issue lies in how FortiOS handles crafted packets in the FGFM protocol. FortiGate devices use FGFM to communicate with FortiManager. A specially crafted packet triggers a buffer overflow allowing memory overwrite and arbitrary code injection.
The exploitation chain: attackers scan for internet-facing FortiGate devices on Shodan or Censys, send a crafted FGFM packet that triggers the buffer overflow, gain root-level code execution on the firewall, establish persistence via backdoor accounts or SSH keys, and begin lateral movement into the internal network. With the firewall compromised, traffic inspection is bypassed enabling data exfiltration or ransomware deployment.
Implications for Indian Enterprises
Fortinet dominates the Indian firewall market in BFSI, government, and manufacturing. Based on our deployment data, approximately 40% of FortiGate devices in India still run unpatched versions. The RBI Cyber Security Framework and CERT-In directives under the IT Act mandate timely patching. The DPDP Act of 2026 adds due diligence requirements for personal data protection. A firewall compromise leading to data breach becomes both a security incident and a regulatory violation.
With ransomware attacks on Indian enterprises up 62% in 2026, a compromised firewall is the ideal entry point for ransomware gangs who can disable security controls, exfiltrate data silently, and deploy ransomware across the network.
Action Plan
Immediate (24 Hours)
- Identify all affected devices including test and DR environments
- Restrict management access to trusted IPs
- Forward all FortiGate logs to your SIEM
- Review SSL VPN configurations
Short-Term (1 Week)
- Patch all affected devices following Fortinet upgrade paths
- Test in staging first to avoid configuration issues
- Update FortiGuard IPS signatures
- Run credentialed vulnerability scans
Long-Term (1 Month)
- Implement zero-trust for management access
- Deploy automated patch management
- Engage managed SOC for 24/7 monitoring
- Build incident response playbooks
How P J Networks Can Help
As a Fortinet Gold MSSP Partner with a decade of Fortinet infrastructure management, our 24/7 SOC team has already identified affected devices across our client base and initiated patching. We offer managed NOC services with 15-minute SLAs, managed SOC with SIEM and threat hunting, vulnerability management, and deep Fortinet expertise across 5,732+ firewalls deployed.
Sanjay Seth is CEO & CTO of P J Networks Pvt Ltd, a Fortinet Gold MSSP Partner with 22+ years in cybersecurity.