Exploit Released for Unpatched Fortinet FortiGate Firewall Vulnerability

A public exploit has been released for a critical unauthenticated remote code execution vulnerability (CVE-2026-47891) in Fortinet FortiGate firewalls running FortiOS versions 7.2 through 7.6, before the vendor has issued a patch. Internet scans indicate approximately 490,000 devices are potentially vulnerable.

The vulnerability exists in the FortiGate SSL VPN web portal and allows an unauthenticated attacker to execute arbitrary commands with root privileges through a crafted HTTP request. The exploit is trivial to use and has been incorporated into popular penetration testing frameworks.

Fortinet acknowledged the vulnerability after the exploit was published and stated that a patch is in development with an expected release date of February 15. In the meantime, the company has published workaround guidance including disabling the SSL VPN web portal and implementing IP-based access restrictions.

Threat intelligence firms report that mass scanning for vulnerable FortiGate devices began within hours of the exploit publication. At least two ransomware groups have been observed incorporating the exploit into their attack workflows.

This incident marks the fourth critical vulnerability in Fortinet products in the past 18 months, raising concerns about the security of enterprise firewall appliances. Organizations are urged to implement the published workarounds immediately and monitor for indicators of compromise provided by Fortinet and CISA.