Fortinet Patches Critical RCE Flaws in FortiSandbox and FortiAuthenticator

Fortinet has shipped fixes for two critical flaws that sit in exactly the wrong places: identity infrastructure and malware analysis infrastructure.

The vulnerabilities affect FortiAuthenticator and FortiSandbox, two products defenders often depend on to control access and inspect suspicious content. In both cases, Fortinet says an unauthenticated attacker could execute unauthorized code or commands on vulnerable systems.

What Fortinet Fixed

The first vulnerability, tracked as CVE-2026-44277, affects FortiAuthenticator. Fortinet describes it as an Improper Access Control issue in API endpoints that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

The flaw is rated Critical with a CVSSv3 score of 9.1. Fortinet says the issue was internally discovered as part of a company audit, was published on May 12, 2026, and is not known to have been exploited in the wild.

The affected FortiAuthenticator versions are:

• FortiAuthenticator 8.0.0 and 8.0.2 — upgrade to 8.0.3 or later
• FortiAuthenticator 6.6.0 through 6.6.8 — upgrade to 6.6.9 or later
• FortiAuthenticator 6.5.0 through 6.5.6 — upgrade to 6.5.7 or later

Fortinet says FortiAuthenticator Cloud is not impacted. For organizations that cannot patch immediately, Fortinet lists one workaround: disable API access for exposed interfaces through Network -> Interfaces -> Access Rights.

FortiSandbox Also Hit by Critical RCE Risk

The second vulnerability, CVE-2026-26083, affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet describes it as a Missing Authorization issue in the WEB UI that may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

This flaw is also rated Critical with a CVSSv3 score of 9.1. Fortinet says it was internally discovered by Adham El karn of the Fortinet Product Security team, published on May 12, 2026, and is not known to have been exploited.

The affected FortiSandbox versions include:

• FortiSandbox 5.0.0 through 5.0.1 — upgrade to 5.0.2 or later
• FortiSandbox 4.4.0 through 4.4.8 — upgrade to 4.4.9 or later
• FortiSandbox Cloud 24 and 23 — migrate to a fixed release
• FortiSandbox Cloud 5.0.2 through 5.0.5 — upgrade to 5.0.6 or later
• FortiSandbox PaaS 23.4, 23.3, 23.1, 22.2, 22.1, 21.4, and 21.3 — migrate to a fixed release
• FortiSandbox PaaS 5.0.0 through 5.0.1 — upgrade to 5.0.2 or later
• FortiSandbox PaaS 4.4.5 through 4.4.8 — upgrade to 4.4.9 or later

Why This Stands Out

The technical issue is serious enough on its own: unauthenticated code or command execution over exposed interfaces is the kind of bug attackers scan for quickly once details become public.

But the product context matters more. FortiAuthenticator is part of the identity layer. It helps manage authentication, MFA, SSO, identity provider functions, RADIUS, TACACS+, certificate authority services, and access enforcement across enterprise environments. A weakness in that layer is not just another appliance bug; it can become a trust-path problem.

FortiSandbox sits on the detection side of the house. It is designed to analyze suspicious files, detect unknown malware, support zero-day protection workflows, and integrate with other Fortinet Security Fabric products. When a defensive analysis platform becomes remotely exploitable, defenders need to treat it as both a security tool and a potentially sensitive system.

Why Defenders Should Move Fast

Fortinet has not marked either flaw as exploited, which is important. This is not currently a confirmed active-exploitation story based on the vendor advisories.

Still, the exposure profile is uncomfortable. Both advisories involve unauthenticated attack paths. Both carry CVSS 9.1 severity. Both affect systems that may be reachable by administrators, integrated with other security controls, or deployed in privileged positions inside the network.

For defenders, the priority is straightforward: identify exposed FortiAuthenticator and FortiSandbox instances, confirm version numbers, apply the fixed releases, and reduce management or API exposure where possible. The FortiAuthenticator workaround should be considered a temporary control, not a replacement for patching.

Bigger Picture

This is another reminder that security infrastructure has become a high-value target class. Identity systems, firewalls, VPNs, endpoint management platforms, and sandboxing appliances often hold privileged network position, sensitive telemetry, or administrative reach into other systems.

That makes patch timing operationally important. A vulnerable internet-facing business application is dangerous; a vulnerable security appliance can be more useful to an attacker because it may already sit near authentication flows, inspection pipelines, administrative networks, or trusted integrations.

The absence of known exploitation should not slow remediation. It should give defenders a narrow window to act before exploit development, scanning, or opportunistic targeting changes the risk calculation.

NeuraCyb's Assessment

The sharpest risk here is not just remote code execution. It is remote code execution in systems defenders rely on to decide who is trusted and what is malicious. Patch FortiAuthenticator and FortiSandbox quickly, restrict exposed management surfaces, and treat these appliances as tier-one security assets rather than passive infrastructure.

References

• Fortinet PSIRT Advisory FG-IR-26-128 — CVE-2026-44277, FortiAuthenticator Improper Access Control
• Fortinet PSIRT Advisory FG-IR-26-136 — CVE-2026-26083, FortiSandbox Missing Authorization
• Fortinet FortiAuthenticator Product Overview
• Fortinet FortiSandbox Product Overview
• BleepingComputer — Fortinet Warns of Critical RCE Flaws in FortiSandbox and FortiAuthenticator