Cyber Posture

CVE-2026-22627

High

Published: 10 March 2026

Published
10 March 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22627 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Fortinet Fortiswitchaxfixed. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates this buffer overflow vulnerability by applying vendor patches as specified in the Fortinet advisory.

SI-10 Information Input Validation good match
prevent

Information input validation enforces size checks on LLDP packets to prevent buffer overflows from crafted inputs.

SI-16 Memory Protection partial match
prevent

Memory protection mechanisms like stack canaries and non-executable stacks mitigate unauthorized code execution from buffer overflow exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Buffer overflow in LLDP packet handling on adjacent network enables remote code execution via exploitation of the device's network protocol service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a…

more

crafted LLDP packet.

Deeper analysisAI

CVE-2026-22627 is a classic buffer overflow vulnerability (CWE-120) affecting Fortinet FortiSwitchAXFixed versions 1.0.0 through 1.0.1. The flaw arises from a buffer copy without checking the size of input, which can be triggered via specially crafted packets. It has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.

An unauthenticated attacker on the same adjacent network can exploit this vulnerability by sending a crafted LLDP packet to the device. Successful exploitation may allow the attacker to execute unauthorized code or commands, potentially leading to full device compromise.

The Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-086 provides details on mitigation strategies and available patches. Security practitioners should consult this reference for version-specific remediation guidance.

Details

CWE(s)
CWE-120

Affected Products

fortinet
fortiswitchaxfixed
1.0.0 — 1.0.2

CVEs Like This One

CVE-2023-33302Same vendor: Fortinet
CVE-2025-53888Shared CWE-120
CVE-2024-54887Shared CWE-120
CVE-2026-41476Shared CWE-120
CVE-2025-25256Same vendor: Fortinet
CVE-2025-24266Shared CWE-120
CVE-2024-33507Same vendor: Fortinet
CVE-2025-59718Same vendor: Fortinet
CVE-2024-48885Same vendor: Fortinet
CVE-2026-7068Shared CWE-120

References