Fortinet Patches Critical RCE Flaws in FortiAuthenticator and FortiSandbox
Fortinet released fixes for two critical vulnerabilities that could let remote, unauthenticated attackers run unauthorized code or commands on exposed systems. The first, CVE-2026-44277, is an improper access control flaw in FortiAuthenticator with a CVSS 9.1 rating; it affects versions 8.0.0, 8.0.2, 6.6.0-6.6.8, and 6.5.0-6.5.6, and was patched in 8.0.3, 6.6.9, and 6.5.7. Fortinet said the issue stems from insufficient authorization checks on API endpoints and could allow unauthorized API access, privilege escalation, and command execution, while FortiAuthenticator Cloud is not affected.
Fortinet also disclosed CVE-2026-26083, a CVSS 9.1 missing-authorization flaw in the FortiSandbox Web UI that impacts FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS, potentially enabling arbitrary code execution across on-premises and cloud deployments. Canada’s Cyber Centre warned that the advisories span multiple Fortinet products and urged administrators to review Fortinet PSIRT notices and apply updates promptly. Public reporting said Fortinet had not observed either flaw being exploited in the wild at disclosure, but the breadth of affected security infrastructure and Fortinet’s history of high-value exploitation have increased urgency around patching exposed appliances.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues alert on Fortinet advisories
Also on 2026-05-12, the Canadian Centre for Cyber Security published advisory AV26-454 highlighting Fortinet's newly released security advisories across multiple products. It urged administrators to review the PSIRT notices and apply the necessary updates for affected on-premises and cloud products.
Fortinet publishes advisories and patches for critical FortiAuthenticator and FortiSandbox flaws
On 2026-05-12, Fortinet disclosed critical vulnerabilities including CVE-2026-44277 in FortiAuthenticator and CVE-2026-26083 in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The company released fixed versions, including FortiAuthenticator 6.5.7, 6.6.9, and 8.0.3, and advised customers to upgrade or migrate affected deployments.
Fortinet receives CVE-2026-44277 report for FortiAuthenticator
Fortinet PSIRT received CVE-2026-44277 on 2026-05-12 for an improper access control flaw in FortiAuthenticator. The vulnerability was described as network-exploitable and capable of enabling unauthorized API access, privilege escalation, and unauthorized code or command execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Fortinet Patch Tuesday - May 2026 - TheCyberThrone
thecyberthrone.in
Open sourceFortinet addresses critical vulnerabilities in FortiSandbox and FortiAuthenticator | brief | SC Media
scworld.com
Open sourceCritical fortinet vulnerabilities fixed in FortiSandbox and FortiAuthenticator
securityaffairs.com
Open sourceFortinet fixes two critical RCE flaws in FortiAuthenticator and FortiSandbox | CSO Online
csoonline.com
Open sourceCritical Fortinet FortiSandbox Vulnerability Enables Code Execution Attacks - Cyber Security News
cybersecuritynews.com
Open sourceFortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
bleepingcomputer.com
Open sourcePSIRT | FortiGuard Labs
fortiguard.fortinet.com
Open sourceCVE-2026-44277 - Fortinet FortiAuthenticator Command Injection Vulnerability
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fortinet Patches Critical FortiSandbox and FortiManager Command-Execution Flaws
Fortinet issued multiple 2026 security advisories covering a broad set of vulnerabilities across **FortiSandbox, FortiManager, FortiAnalyzer, FortiOS, FortiAP, FortiProxy, FortiPAM, FortiSwitchManager, FortiSwitchAXFixed,** and related cloud offerings. The most severe flaws affect **FortiSandbox**, including `CVE-2026-39808`, an unauthenticated OS command injection bug that could allow arbitrary command execution and full device compromise, `CVE-2026-39813`, a path traversal issue in the JRPC API that may enable authentication bypass and privilege escalation, and `CVE-2026-26083`, a missing authorization flaw that can expose restricted functionality and sensitive sandbox analysis data through the GUI without authentication. National cyber authorities in Canada and Belgium separately warned organizations to apply Fortinet’s fixes immediately. Fortinet also disclosed high-risk issues in management platforms, notably `CVE-2025-54820`, a stack-based buffer overflow in the **FortiManager** `fgtupdates` service that can let remote unauthenticated attackers execute unauthorized commands when the service is enabled, as well as a heap-based buffer overflow affecting **FortiAnalyzer Cloud** and **FortiManager Cloud**. Additional weaknesses across the product line include authentication and MFA bypasses, SQL injection, API denial of service, CLI command injection in FortiAP, CAPWAP daemon memory corruption in FortiOS, stored and reflected XSS, improper access control, and credential exposure. Fortinet advised customers to upgrade to fixed releases, disable exposed services such as `fgtupdates` where possible, restrict CLI, SSH, and API access, and monitor logs for anomalous authentication, privilege escalation, and endpoint activity.
Jun 18, 2026
Critical FortiSandbox API Flaws Enable Unauthenticated Command Execution
Fortinet disclosed two critical vulnerabilities in **FortiSandbox** that allow remote, unauthenticated attackers to compromise exposed appliances through crafted HTTP requests. **`CVE-2026-39808`** is an OS command injection flaw in the FortiSandbox API that can lead to unauthorized command or code execution, while **`CVE-2026-39813`** is a path traversal issue in the JRPC API that can bypass authentication and enable privilege escalation. Both issues carry a **CVSS v3 score of 9.1**. The flaws affect **FortiSandbox 4.4.0 through 4.4.8**, and **`CVE-2026-39813`** also impacts **5.0.0 through 5.0.5**. Fortinet released fixes in **4.4.9** for both vulnerabilities and **5.0.6** for the JRPC issue, and said it had not observed exploitation in the wild at the time of disclosure. Organizations were urged to patch immediately, review internet-exposed deployments, and restrict API access to trusted networks until upgrades are completed.
Apr 16, 2026
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
Mar 21, 2026