VYPR
patchPublished May 12, 2026· Updated May 20, 2026· 2 sources

Fortinet Patches for Critical RCE Flaws in FortiSandbox and FortiAuthenticator Released

Fortinet has released security updates for two critical remote code execution vulnerabilities in FortiAuthenticator and FortiSandbox that could allow unauthenticated attackers to take over unpatched systems.

Fortinet has released security updates to address two critical remote code execution (RCE) vulnerabilities in its FortiAuthenticator identity and access management (IAM) solution and its FortiSandbox malware analysis platform. The flaws, tracked as CVE-2026-44277 and CVE-2026-2026-26083, both allow unauthenticated attackers to execute arbitrary code or commands on vulnerable systems by sending specially crafted HTTP requests.

The first vulnerability, CVE-2026-44277, is an improper access control weakness (CWE-284) in FortiAuthenticator. According to a Tuesday advisory from Fortinet, the bug affects FortiAuthenticator versions prior to 6.5.7, 6.6.9, and 8.0.3. The company noted that FortiAuthenticator Cloud (formerly FortiTrust Identity), its identity-as-a-service offering, is not impacted by this issue.

The second flaw, CVE-2026-26083, is a missing authorization vulnerability (CWE-862) in the web UI of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. This bug also enables an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. FortiSandbox is designed to detect and block malicious activity, including zero-day threats, making a successful exploit particularly dangerous.

While Fortinet has not reported active exploitation of either vulnerability in the wild, the company's products are frequently targeted by ransomware and cyber-espionage groups. In recent months, several Fortinet flaws have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. In February, Fortinet patched CVE-2026-21643, a critical RCE in FortiClient Enterprise Management Server (EMS) that was later confirmed as actively exploited. In early April, CISA ordered federal agencies to patch another actively exploited authentication bypass in FortiClient EMS, tracked as CVE-2026-35616.

CISA has added 24 Fortinet vulnerabilities to its KEV catalog in recent years, 13 of which were also abused in ransomware attacks. This pattern underscores the high risk posed by unpatched Fortinet appliances, which are a common target for threat actors seeking initial access to enterprise networks.

Fortinet has released patches for both vulnerabilities. Administrators are strongly advised to update FortiAuthenticator to versions 6.5.7, 6.6.9, or 8.0.3 or later, and FortiSandbox to the latest patched versions. No workarounds have been provided, so applying the updates is the only mitigation. Given the critical severity and the potential for exploitation, organizations should prioritize these patches.

Fortinet's advisory (FG-IR-26-128) assigns a CVSSv3 score of 9.1 to the improper access control vulnerability (CWE-284) in FortiAuthenticator, which allows an unauthenticated attacker to execute unauthorized code or commands via crafted API requests. The advisory, revised on May 12, 2026, provides upgrade paths to versions 8.0.3, 6.6.9, or 6.5.7, and notes that FortiAuthenticator Cloud is not affected. As a workaround, administrators can disable API access on exposed interfaces through Network → Interfaces → Access Rights.

Synthesized by Vypr AI