Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
by Sergiu Gatlan · BleepingComputerFortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems.
The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3.
"An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests," Fortinet said in a Tuesday advisory.
The company added that FortiAuthenticator Cloud (formerly known as FortiTrust Identity), an Identity and Access Management as a Service (IDaaS) cloud service hosted and managed by Fortinet, is not impacted by the issue.
Today, Fortinet also addressed a missing authorization weakness (CVE-2026-26083) that can be exploited to achieve remote code execution on vulnerable FortiSandbox systems designed to protect against malicious activity, including zero-day threats.
"A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests," it added.
While the company didn't tag these two security flaws as being exploited in the wild, Fortinet vulnerabilities are frequently exploited in ransomware and cyber-espionage attacks, often as zero-days.
For instance, in February, it addressed another critical vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which threat intelligence company Defused flagged as actively exploited one month later.
More recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies in early April to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited authentication bypass flaw (CVE-2026-35616).
In total, CISA has added 24 Fortinet vulnerabilities to its catalog of actively exploited security flaws in recent years, 13 of which were also abused in ransomware attacks.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.