Full Report
Fortinet has released security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code. [...]
Analysis Summary
# Vulnerability: Critical RCE in FortiAuthenticator and FortiSandbox
## CVE Details
- **CVE ID:** CVE-2026-44277 (FortiAuthenticator) / CVE-2026-26083 (FortiSandbox)
- **CVSS Score:** Critical (Numerical score not explicitly provided, but categorized as critical by vendor)
- **CWE:** CWE-284 (Improper Access Control) / CWE-862 (Missing Authorization)
## Affected Systems
- **Products:**
- FortiAuthenticator (IAM Solution)
- FortiSandbox (including Cloud and PaaS WEB UI)
- **Versions:**
- FortiAuthenticator: Versions prior to 6.5.7, 6.6.9, and 8.0.3
- FortiSandbox: Versions prior to patches (specific fixed versions defined below)
- **Configurations:**
- FortiAuthenticator: On-premise instances (FortiAuthenticator Cloud/IDaaS is **not** impacted).
- FortiSandbox: Impacts WEB UI components of hardware, cloud, and PaaS deployments.
## Vulnerability Description
Both vulnerabilities allow for unauthenticated Remote Code Execution (RCE).
- **CVE-2026-44277 (FortiAuthenticator):** An improper access control flaw where an attacker can bypass security restrictions via crafted requests to execute unauthorized commands.
- **CVE-2026-26083 (FortiSandbox):** A missing authorization check in the Web User Interface (Web UI). This allows an attacker to send malicious HTTP requests that trigger unauthorized code execution on the appliance.
## Exploitation
- **Status:** Not currently observed in the wild; no public PoC confirmed in the provided text.
- **Complexity:** Low (Unauthenticated access via network requests).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to system data and credentials).
- **Integrity:** High (Ability to execute arbitrary commands/modify system state).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
Fortinet has released the following security updates:
- **FortiAuthenticator:** Upgrade to versions **6.5.7, 6.6.9, 8.0.3**, or higher.
- **FortiSandbox:** Recommended to update to the latest available patched release for your specific branch (consult FortiGuard PSIRT for specific versioning).
### Workarounds
No specific official workarounds were provided in the article. It is highly recommended to update immediately, as RCE flaws in Fortinet products are historical targets for ransomware and state-sponsored actors.
## Detection
- **Indicators of Compromise:** Unusual administrative or "root" level activity originating from the web server/management interface.
- **Detection methods and tools:**
- Monitor web server logs for suspicious HTTP requests targeting the management UI.
- Use vulnerability scanners to identify unpatched Fortinet firmware versions.
- Check the FortiGuard PSIRT portal for updated signatures (IPS/AV) related to these CVEs.
## References
- **Vendor advisories:**
- hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-128
- **Relevant links:**
- hxxps[://]www[.]bleepingcomputer[.]com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-21643 (Reference to related EMS flaw)