Fortinet has released security updates addressing two critical vulnerabilities affecting Fortinet products FortiSandbox and FortiAuthenticator. Both vulnerabilities carry a CVSS score of 9.1 and may allow unauthenticated remote code execution (RCE) through specially crafted HTTP requests. Successful exploitation could result in full system compromise, unauthorized command execution, and potential takeover of enterprise identity and security infrastructure.
Affected Vulnerabilities
Technical Overview
CVE-2026-26083 – FortiSandbox
The vulnerability affects the FortiSandbox Web UI, including:
- FortiSandbox (on-premises)
- FortiSandbox Cloud
- FortiSandbox PaaS
The flaw stems from missing authorization checks that could permit attackers to execute arbitrary commands remotely. Since FortiSandbox is commonly deployed as a malware analysis and threat inspection platform, compromise of this appliance could undermine an organization’s security monitoring and malware detection capabilities.
CVE-2026-44277 – FortiAuthenticator
This vulnerability affects on-premises FortiAuthenticator deployments and allows unauthenticated attackers to execute unauthorized code through crafted requests. Because FortiAuthenticator manages:
- Multi-factor authentication (MFA)
- Identity management
- Authentication trust chains
- RADIUS and certificate services
successful exploitation may allow attackers to bypass authentication controls and pivot deeper into enterprise environments.
Affected Versions
Risk Assessment : Risk Level: CRITICAL
Potential Vulnerability impacts include:
- Remote system takeover
- Authentication bypass
- Unauthorized command execution
- Disruption of malware analysis workflows
- Lateral movement within enterprise networks
- Compromise of IAM infrastructure
Recommended Actions
- Apply security patches immediately
- Upgrade FortiAuthenticator to:
- 6.5.7+
- 6.6.9+
- 8.0.3+
- Upgrade FortiSandbox to:
- 5.0.2+
- 4.4.9+
- 5.0.6+ (Cloud)
- Upgrade FortiAuthenticator to:
- Disable public internet access to admin portals and Limit access using VPNs or trusted IP ranges
- Implement network segmentation
- Monitor for suspicious activities
- Unexpected HTTP requests
- Unauthorized account creation
- Abnormal outbound connections
- Privilege escalation attempts
- Inspect authentication log and Monitor FortiSandbox and FortiAuthenticator events
- Enable MFA and hardened access policies
Indicators of Concern
- Unusual HTTP requests targeting Fortinet Web UI endpoints
- Suspicious outbound communications from FortiSandbox systems
- Unauthorized configuration changes
- Authentication anomalies within IAM systems
- Unexpected service account activity
.png)
.png)