Critical Missing Authorization Flaw in FortiSandbox Allows Unauthenticated RCE
Fortinet disclosed a critical missing authorization vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that could allow unauthenticated attackers to execute arbitrary code.
Fortinet has disclosed a critical missing authorization vulnerability (CWE-862) in its FortiSandbox product line, including FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The flaw, assigned a CVSS score of 9.1, resides in the WEB UI and could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. The advisory was published on May 12, 2026, and no CVE-ID has been assigned yet.
The vulnerability affects multiple versions across the FortiSandbox family. On-premises FortiSandbox versions 5.0.0 through 5.0.1 and 4.4.0 through 4.4.8 are impacted, with fixes available in 5.0.2 and 4.4.9, respectively. FortiSandbox Cloud versions 24 and 23 (all versions) are affected, and users are advised to migrate to a fixed release. Similarly, FortiSandbox Cloud 5.0 versions 5.0.2 through 5.0.5 require an upgrade to 5.0.6. FortiSandbox PaaS versions 23.4, 23.3, 23.1, 22.2, 22.1, 21.4, and 21.3 (all versions) are vulnerable, along with PaaS 5.0.0 through 5.0.1 and PaaS 4.4.5 through 4.4.8. Fixed releases are available for PaaS as well.
The vulnerability was internally discovered and reported by Adham El Karn of the Fortinet Product Security team. The advisory notes that no workarounds are available, and users must apply the provided patches or migrate to fixed releases. Given the critical severity and the lack of authentication required for exploitation, Fortinet strongly recommends immediate action.
FortiSandbox is a malware analysis and threat detection platform widely used in enterprise environments. A successful exploit could allow an attacker to gain full control of the appliance, potentially leading to data theft, lateral movement, or further compromise of the network. The vulnerability is particularly concerning because it requires no user interaction and can be triggered remotely.
This disclosure adds to a series of recent Fortinet patches. Earlier in May 2026, Fortinet released fixes for critical RCE flaws in FortiAuthenticator and FortiSandbox, as reported in a separate advisory. The company has also patched multiple vulnerabilities across its product lines in recent months, reflecting ongoing efforts to address security issues.
Organizations using affected FortiSandbox versions should prioritize patching, especially those with internet-facing management interfaces. Fortinet has not reported any in-the-wild exploitation of this vulnerability, but given the high CVSS score and the ease of exploitation, attackers are likely to develop exploits quickly. Security teams should review their FortiSandbox deployments and apply the updates as soon as possible.