CVE-2026-22628 is a vulnerability identified in Fortinet's FortiSwitchAXFixed product, specifically affecting versions 1.0.0 through 1.0.1. The flaw stems from improper access control mechanisms within the device's handling of SSH configuration files. An authenticated administrator can exploit this vulnerability by providing a specially crafted SSH config file, which the system then processes in a way that allows execution of arbitrary system commands. This could lead to unauthorized code execution, enabling attackers to manipulate system settings, disrupt network operations, or access sensitive information. The vulnerability does not require user interaction beyond authentication, and the attack vector is local (AV:L), meaning the attacker must have legitimate admin credentials. The CVSS v3.1 base score of 5.1 reflects a medium severity level, with low attack complexity and privileges required, but limited scope since it affects only the FortiSwitchAXFixed device. No public exploits or patches are currently documented, but the risk remains significant for environments relying on these devices for network switching and security. The vulnerability impacts confidentiality, integrity, and availability, albeit to a limited degree due to the prerequisite of admin access.

The impact of CVE-2026-22628 is primarily on organizations using Fortinet FortiSwitchAXFixed devices in their network infrastructure. Successful exploitation could allow an authenticated administrator to execute arbitrary commands, potentially leading to unauthorized configuration changes, disruption of network traffic, or exposure of sensitive data. This could degrade network availability and compromise the integrity of network operations. While the vulnerability requires admin credentials, insider threats or compromised admin accounts could leverage this flaw to escalate privileges or maintain persistence. The medium severity score indicates moderate risk, but in critical environments such as data centers, telecommunications, or enterprise networks, the consequences could be significant. The lack of known exploits reduces immediate risk, but the presence of this vulnerability in core network devices necessitates prompt attention to prevent future exploitation.

Organizations should immediately verify if they are running FortiSwitchAXFixed versions 1.0.0 or 1.0.1 and restrict administrative access to trusted personnel only. Implement strict access controls and monitor admin account usage for suspicious activity. Fortinet should be contacted for patches or firmware updates addressing this vulnerability; until then, consider disabling SSH access or limiting it via network segmentation and firewall rules to reduce exposure. Employ multi-factor authentication (MFA) for admin accounts to mitigate risks from credential compromise. Regularly audit SSH configuration files and system logs for unauthorized changes or command executions. Additionally, network administrators should isolate vulnerable devices from untrusted networks and maintain up-to-date backups to enable rapid recovery if exploitation occurs. Finally, maintain vigilance for any future advisories or exploit disclosures related to this CVE.