CybersecurityVulnerability Management

Fortinet Disrupts Critical RCE Flaws in FortiSandbox, FortiAuthenticator

Analyst 207||Source: BleepingComputer
Secure facility with a computer terminal on a desk and blurred server racks in the background.

"An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests," Fortinet said in a Tuesday advisory.

CVE-2026-44277 in FortiAuthenticator

Fortinet disclosed and patched a critical remote code execution vulnerability tracked as CVE-2026-44277 in its FortiAuthenticator Identity and Access Management (IAM) product. According to the advisory, the flaw stems from an improper access control condition that could let an unauthenticated actor run unauthorized code or commands by sending specially crafted requests to vulnerable appliances.

Fortinet listed fixed builds for on-premises FortiAuthenticator as versions 6.5.7, 6.6.9, and 8.0.3. The company also stated explicitly that FortiAuthenticator Cloud (formerly FortiTrust Identity), an Identity and Access Management as a Service cloud offering hosted and managed by Fortinet, is not impacted by CVE-2026-44277.

CVE-2026-26083 in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI

In the same advisory set, Fortinet addressed a second critical issue — CVE-2026-26083 — described as a missing authorization vulnerability (CWE-862) affecting FortiSandbox and related cloud and platform variants. Fortinet said the vulnerability "may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests."

The affected components named in the advisory include FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI, products Fortinet positions to protect networks against malicious activity, including zero-day threats.

Patch availability and what Fortinet confirmed

Fortinet released security updates for the two issues. For FortiAuthenticator, the advisory lists the patched versions by exact release number; for FortiSandbox the company reported it had addressed the missing authorization weakness across the listed product families. The advisory does not state that either vulnerability has been observed being exploited in the wild.

Context: past Fortinet flaws, Defused reporting, and CISA activity

Fortinet cautioned that, while these two flaws were not tagged as exploited in the wild, Fortinet vulnerabilities have frequently appeared in ransomware and cyber-espionage campaigns and have previously been used as zero-days. The advisory cites recent precedent in which Fortinet fixed a critical issue in February — CVE-2026-21643 in the FortiClient Enterprise Management Server (EMS) platform — that threat intelligence company Defused flagged as actively exploited one month later.

Fortinet-related risks have also drawn U.S. federal attention: the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies in early April to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited authentication bypass flaw tracked as CVE-2026-35616. CISA has added a total of 24 Fortinet vulnerabilities to its catalog of actively exploited security flaws in recent years, 13 of which the agency records as also abused in ransomware attacks.

What this means for technologists, federal agencies, and attackers

  • Technologists and security teams: Teams running on-premises FortiAuthenticator should verify they are on patched versions 6.5.7, 6.6.9, or 8.0.3, and teams using FortiSandbox variants should apply Fortinet's supplied fixes; FortiAuthenticator Cloud was identified by Fortinet as not impacted by CVE-2026-44277.
  • Federal agencies and regulators: Given CISA's recent orders and the agency's record of cataloging Fortinet flaws as actively exploited, agencies with Fortinet appliances are likely to treat these advisories with heightened urgency and follow applicable hardening or mitigation guidance.
  • Adversaries and threat actors: Fortinet's own advisory language — and the vendor's history of products being incorporated into ransomware and espionage operations — means unpatched FortiAuthenticator and FortiSandbox instances remain a potential target for exploitation.

Fortinet has issued updates for both CVE-2026-44277 and CVE-2026-26083; defenders should treat the vendor advisory and the specific patched version numbers as the canonical record. The advisory stopped short of reporting active exploitation, but the company's recent history with quickly weaponized Fortinet flaws and the parallel actions recorded by Defused and CISA underline why organizations that run these products will need to confirm patching or mitigation without delay.

Original reporting: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/

Emerging ThreatsFortinetIdentity And Access ManagementRemote Code ExecutionVulnerability ManagementFortiauthenticatorCVE-2026-44277Improper Access Control
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207