Cyber Posture

CVE-2026-40688

High

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 38.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40688 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fortinet Fortiweb. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the out-of-bounds write vulnerability by applying vendor patches as specified in the Fortinet advisory.

SI-16 Memory Protection good match
prevent

Implements memory safeguards like ASLR and DEP to protect against exploitation of out-of-bounds writes leading to arbitrary code execution.

SI-10 Information Input Validation partial match
prevent

Validates crafted HTTP request inputs to prevent those triggering the out-of-bounds write in FortiWeb.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Out-of-bounds write in public-facing FortiWeb appliance allows remote privileged attackers to send crafted HTTP requests for arbitrary code/command execution, directly enabling T1190 (Exploit Public-Facing Application) and facilitating T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP requests.

Deeper analysisAI

CVE-2026-40688 is an out-of-bounds write vulnerability (CWE-787) affecting Fortinet FortiWeb in versions 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, and 7.4.0 through 7.4.11. This flaw, published on 2026-04-14, carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

A remote attacker with privileged access can exploit this vulnerability by sending crafted HTTP requests, potentially leading to arbitrary code or command execution on the affected FortiWeb appliance. The attack requires high privileges (PR:H) but has low complexity (AC:L), no user interaction (UI:N), and is accessible over the network (AV:N) without changing scope.

For mitigation details, refer to the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-127, which provides guidance on patches and workarounds.

Details

CWE(s)
CWE-787

Affected Products

fortinet
fortiweb
7.4.0 — 7.4.12 · 7.6.0 — 7.6.7 · 8.0.0 — 8.0.4

CVEs Like This One

CVE-2024-55597Same product: Fortinet Fortiweb
CVE-2025-52970Same product: Fortinet Fortiweb
CVE-2025-64447Same product: Fortinet Fortiweb
CVE-2025-59719Same product: Fortinet Fortiweb
CVE-2024-55594Same product: Fortinet Fortiweb
CVE-2025-66178Same product: Fortinet Fortiweb
CVE-2026-24017Same product: Fortinet Fortiweb
CVE-2024-50569Same product: Fortinet Fortiweb
CVE-2024-50567Same product: Fortinet Fortiweb
CVE-2025-58034Same product: Fortinet Fortiweb

References