Fortinet Patches Critical RCE in FortiSandbox, FortiAuthenticator

Fortinet has disclosed two critical remote code execution vulnerabilities affecting FortiSandbox and FortiAuthenticator—products that sit at the heart of enterprise security stacks. Both flaws allow unauthenticated attackers to execute arbitrary commands via crafted HTTP requests, and neither requires any form of prior access. Given how quickly attackers weaponize Fortinet flaws, organizations should treat these as drop-everything patches.

This marks the second wave of critical FortiSandbox patches in under a month. In April, Fortinet addressed two auth bypass and RCE flaws scoring CVSS 9.1 in the same product line. Organizations that patched then should verify they're also covered for these new CVEs.

What's Being Patched

CVE-2026-44277: FortiAuthenticator Improper Access Control

An improper access control vulnerability (CWE-284) in FortiAuthenticator allows unauthenticated attackers to execute unauthorized code or commands via crafted requests. The flaw affects FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3.

FortiAuthenticator serves as a centralized authentication server for Fortinet deployments, handling RADIUS, LDAP, and SAML authentication across the security fabric. Compromise here could give attackers a foothold to pivot across the entire Fortinet ecosystem.

CVE-2026-26083: FortiSandbox Missing Authorization

A missing authorization vulnerability (CWE-862) in FortiSandbox enables unauthenticated attackers to execute code or commands via HTTP requests. This affects FortiSandbox on-premises appliances, FortiSandbox Cloud, and FortiSandbox PaaS deployments.

FortiSandbox analyzes suspicious files before they reach endpoints. A compromised sandbox could be manipulated to mark malicious files as clean, effectively blinding downstream security controls.

Fortinet has not assigned public CVSS scores at publication time, but the unauthenticated RCE capability places these squarely in critical territory.

Why This Matters

Fortinet appliances have become a favorite target for both nation-state actors and ransomware operators. CISA's Known Exploited Vulnerabilities catalog lists 24 Fortinet flaws as actively exploited in the wild, with 13 linked to ransomware campaigns.

The pattern is consistent: critical Fortinet vulnerabilities move from disclosure to active exploitation fast. When Fortinet released emergency guidance for CVE-2026-24858 in January, attackers were already exploiting it. The company had to disable FortiCloud SSO entirely to contain the damage.

FortiAuthenticator and FortiSandbox sit in positions of trust. Authentication servers validate identities across the network; sandboxes render verdicts on whether files are safe. Attackers who compromise either gain influence far beyond the device itself.

We've previously covered an AI-assisted threat actor who compromised 600 FortiGate devices using a combination of known vulnerabilities and automated reconnaissance. The attack chain started with a single unpatched appliance.

Who's Affected

FortiAuthenticator:

• Version 6.5.7
• Version 6.6.9
• Version 8.0.3

FortiAuthenticator Cloud (IDaaS) is not affected, according to Fortinet's advisory.

FortiSandbox:

• FortiSandbox on-premises appliances (versions unspecified in initial disclosure)
• FortiSandbox Cloud
• FortiSandbox PaaS

Organizations should consult Fortinet's PSIRT advisories for exact version matrices and patched releases.

Mitigation Steps

1. Patch immediately. Download the latest FortiAuthenticator and FortiSandbox releases from Fortinet's support portal.

2. Audit network exposure. Neither product should be directly accessible from the internet. If you're running FortiSandbox Cloud or FortiAuthenticator with public-facing interfaces, restrict access to known IP ranges while patching.

3. Review logs for anomalies. Look for unusual HTTP requests targeting FortiSandbox and FortiAuthenticator APIs—particularly high-volume or malformed requests that could indicate probing.

4. Check your patch history. If you deployed CISA's KEV-mandated FortiClient EMS patches in April, verify your FortiSandbox and FortiAuthenticator instances were included in the same maintenance window.

5. Assume prior compromise if unpatched. Given how quickly Fortinet vulns get weaponized, organizations running vulnerable versions should conduct forensic analysis before patching.

The Bigger Picture

Fortinet's security posture has taken repeated hits this year. Between FortiGate auth bypasses, FortiClient EMS SQL injection, and FortiSandbox RCE chains, administrators are patching Fortinet infrastructure at an exhausting cadence.

The company hasn't reported active exploitation of CVE-2026-44277 or CVE-2026-26083 yet. That window won't stay open long. Threat actors actively monitor Fortinet's security advisories and have demonstrated they can weaponize critical flaws within days of disclosure.

Patch now. Verify later.