CVE-2026-22628 is a security vulnerability identified in Fortinet's FortiSwitchAXFixed product, specifically affecting versions 1.0.0 through 1.0.1. The flaw arises from improper access control mechanisms that allow an authenticated administrator to execute arbitrary system commands on the device by submitting a specially crafted SSH configuration file. This attack vector exploits the way the device processes SSH config files, bypassing intended restrictions and enabling command execution at the system level. The vulnerability requires the attacker to have authenticated administrative privileges, which lowers the barrier compared to remote unauthenticated attacks but still poses a significant risk within environments where admin credentials might be compromised or misused. The CVSS v3.1 base score is 5.1, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality, integrity, and availability rated as low (C:L, I:L, A:L). No public exploits have been reported yet, but the vulnerability's nature suggests potential for misuse in targeted attacks or insider threats. Fortinet has not yet published patches or mitigations at the time of this report, emphasizing the need for administrators to implement interim controls to reduce risk.

The vulnerability allows an authenticated administrator to execute arbitrary system commands, which can lead to unauthorized changes in device configuration, potential data leakage, or disruption of network operations. Although the attacker must already have admin credentials, this flaw significantly elevates the risk of insider threats or credential compromise scenarios. Exploitation could result in partial loss of confidentiality (exposure of sensitive configuration or operational data), integrity (unauthorized modification of device settings), and availability (potential disruption or denial of network services). Organizations relying on FortiSwitchAXFixed devices in critical network infrastructure could face operational disruptions or security breaches if this vulnerability is exploited. The medium severity rating reflects the balance between the required privileges and the potential impact, but the risk is heightened in environments with weak credential management or insufficient monitoring.

1. Restrict administrative access to FortiSwitchAXFixed devices using strong authentication methods such as multi-factor authentication (MFA) and limit admin accounts to trusted personnel only. 2. Monitor and audit SSH configuration files and administrative actions on the devices to detect any unauthorized or suspicious changes promptly. 3. Implement network segmentation and access controls to limit exposure of management interfaces to trusted networks and hosts only. 4. Regularly review and rotate administrative credentials to reduce the risk of credential compromise. 5. Stay informed on Fortinet advisories and apply official patches or firmware updates as soon as they become available to address this vulnerability. 6. Consider deploying intrusion detection or prevention systems that can identify anomalous command execution or configuration changes on network devices. 7. Conduct periodic security assessments and penetration testing focused on administrative interfaces to uncover potential exploitation paths.