Fortinet Patches Critical RCE Vulnerabilities in FortiSandbox and FortiAuthenticator
Published
Key Takeaways
- Critical flaws patched: Security updates address vulnerabilities allowing remote code execution on unpatched Fortinet systems.
- Systems at risk: The vulnerabilities impact specific versions of FortiAuthenticator and FortiSandbox deployments.
- CISA catalog context: CISA has tracked 24 exploited Fortinet flaws in recent years, including 13 utilized in ransomware attacks.
Fortinet has released security updates for CVE-2026-44277 and CVE-2026-26083 to mitigate two critical vulnerabilities that could allow attackers to run commands or arbitrary code on unpatched systems. These remote code execution (RCE) flaws require immediate remediation across enterprise environments.
FortiAuthenticator Access Control and FortiSandbox Missing Authorization Flaws
The first vulnerability, identified as CVE-2026-44277, is an improper access control issue within the FortiAuthenticator Identity and Access Management (IAM) solution. This critical flaw, internally discovered as part of a Fortinet audit, permits an unauthenticated attacker to execute unauthorized code or commands by utilizing crafted requests, according to the Fortinet advisory.
To mitigate the threat, Fortinet has released patches in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3. Fortinet specified that FortiAuthenticator Cloud, previously known as FortiTrust Identity, is not impacted by this vulnerability.
The second critical security flaw, tracked as CVE-2026-26083, is a missing authorization vulnerability. This issue affects FortiSandbox, FortiSandbox Cloud, and the FortiSandbox PaaS WEB UI. If exploited, an unauthenticated attacker can execute unauthorized code or commands through malicious HTTP requests.
Historical Exploitation of Fortinet Infrastructure
While the vendor has not yet documented active exploitation of these specific CVEs, Fortinet infrastructure remains a high-value target for threat actors. In recent years, the Cybersecurity and Infrastructure Security Agency (CISA) has added 24 Fortinet vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Of those documented vulnerabilities, 13 were actively abused in ransomware attacks. Prior instances of actively exploited flaws include CVE-2026-21643 and the authentication bypass vulnerability CVE-2026-35616, both of which affected FortiClient Enterprise Management Server instances.
Early this year, Fortinet temporarily disabled FortiCloud SSO following its active exploitation. In March, SentinelOne analyzed how FortiGate edge intrusions lead to deep network compromise and rogue workstations.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular