FortiSandbox and FortiAuthenticator: Critical RCE Fixes

Fortinet released patches for critical RCE flaws in FortiSandbox and FortiAuthenticator. Unpatched systems could allow command execution.

A new pair of critical security flaws is putting unpatched Fortinet systems back in the spotlight, with both issues described as paths to remote code execution through unauthorized commands.

Fortinet said it has issued security updates to address two vulnerabilities affecting FortiSandbox and FortiAuthenticator.. The company warned that attackers could exploit the flaws to run commands or execute arbitrary code on systems that haven’t been updated. underscoring the continuing risk posed by internet-facing security infrastructure.

The first issue is tracked as CVE-2026-44277 and impacts FortiAuthenticator, Fortinet’s identity and access management (IAM) solution. Fortinet patched this vulnerability in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3.

In its advisory, Fortinet described CVE-2026-44277 as an improper access control weakness. It said an unauthenticated attacker may be able to execute unauthorized code or commands by sending crafted requests, meaning the attack does not rely on a prior login to succeed.

Fortinet also clarified that FortiAuthenticator Cloud. which it described as FortiTrust Identity and an IAM-as-a-Service (IDaaS) offering hosted and managed by the company. is not affected by CVE-2026-44277.. That distinction matters for administrators deciding where to apply urgency and how to validate whether their environment is truly exposed.

The second vulnerability, CVE-2026-26083, targets FortiSandbox and is tied to a missing authorization weakness.. Fortinet said this could allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. expanding the threat model beyond scenarios where an attacker needs credentials.

Fortinet noted that the affected surface includes FortiSandbox, FortiSandbox Cloud, and the FortiSandbox PaaS web UI.. While FortiSandbox is designed to help protect organizations against malicious activity. including zero-day threats. these newly disclosed weaknesses highlight that even defensive platforms can become entry points when authorization boundaries fail.

Although Fortinet did not indicate that either flaw had been exploited in the wild at the time of publication. the company’s vulnerabilities have often gone on to be leveraged in ransomware and cyber-espionage activity.. Security teams frequently treat newly disclosed issues as “patch now” items, particularly when the reported conditions involve unauthenticated access.

That concern is reinforced by Fortinet’s past track record and by how quickly some issues have later shown up in active campaigns. In February, Fortinet addressed another critical vulnerability—CVE-2026-21643—in the FortiClient Enterprise Management Server (EMS) platform.

In that case, threat intelligence had flagged CVE-2026-21643 as actively exploited one month later, illustrating how exploit development and targeting can lag behind disclosure and patch availability.

The pattern has also prompted government-level guidance.. Early April, the U.S.. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server instances against an actively exploited authentication bypass flaw. identified as CVE-2026-35616.

More broadly. CISA has added 24 Fortinet vulnerabilities to its catalog of actively exploited security flaws in recent years. and 13 of those were reported as being abused in ransomware attacks.. Taken together. the advisory and recent history create a clear message for defenders: waiting for public indicators of compromise can be risky when remote execution and unauthenticated triggers are involved.

For organizations relying on FortiAuthenticator and FortiSandbox. the immediate operational priority is to validate patch levels against the specific version ranges Fortinet listed for CVE-2026-44277 and confirm exposure for the FortiSandbox components named for CVE-2026-26083.. Because both issues involve crafted requests and HTTP access paths. administrators should also ensure internet-facing interfaces are monitored closely during rollout.

The broader implication is that identity and threat-detection tooling continue to represent high-value targets.. IAM platforms are central to controlling access. while sandboxing systems are used to constrain the impact of malicious files and behaviors—so failures in authorization controls can shift the risk from “detect and contain” to “attack and execute.”

Fortinet security update FortiAuthenticator CVE FortiSandbox RCE identity and access management remote code execution cybersecurity advisories