Technical Tip: Explanation of 'Branches to fix' version in Fortinet PSIRT Policy

kcheng · ‎02-06-2025

Description

This article describes the definition of 'Branches to fix' corresponding to the CVSS score.

Scope

All FortiOS.

Solution

Fortinet PSIRT policy defines the 'Branches to fix' based on the CVSS score assigned to a specific vulnerability. The full PSIRT policy can be found via the following link: PSIRT Policy.

In the PSIRT policy, the branches to fix are highly dependent on the severity of the reported vulnerability:

As of January 2026, the FortiOS releases that have not reached the end of support date are as follows:

FortiOS	End of Support Date
7.2 (Long Term Support)	2026-09-30 (Extended EOS: 2028-03-31)
7.4	2027-01-11
7.6 (Long Term Support	2029-01-25 (Extended EOS: 2030-07-29)

Reference: Fortinet Product Life Cycle.

Based on the information above, the categorization of the 'Branches to fix' is as follows:

Branches to fix	Definition	FortiOS Versions (as of Jan 2026)
All supported versions.	All supported FortiOS versions that have not reached End of Support(EOS) or Extended End of Support (EEOS) for LTS versions.	v7.2, v7.4, v7.6.
Current and prior versions.	The latest major version (n) and prior major versions (n-1) among all FortiOS versions are currently under Engineering Support.	v7.4, v7.6.
Fixed in the latest supported version.	The latest major version among all FortiOS versions that are currently under Engineering Support.	v7.6.
Fixed in the next major version.	Future major version.	>v7.6.

Technical Tip: Explanation of 'Branches to fix' version in Fortinet PSIRT Policy

You are leaving our website