Full Report
Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution. * FortiAuthenticator is a centralized identity and access management (IAM) solution that secures network access by managing user identities, Multi-Factor Authentication (MFA), and certificate management. * FortiSandbox is an advanced threat detection solution from Fortinet that uses sandboxing to analyze suspicious files and network traffic for advanced threats like zero-day malware and ransomware.Successful exploitation of these vulnerabilities could lead to remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Remote Code Execution in FortiAuthenticator and FortiSandbox
## CVE Details
- **CVE ID:** CVE-2026-44277
- **CVSS Score:** Not explicitly provided in the text (Severity: High/Critical indicated)
- **CWE:** CWE-284 (Improper Access Control)
- **CVE ID:** CVE-2026-26083
- **CVSS Score:** Not explicitly provided in the text (Severity: High/Critical indicated)
- **CWE:** CWE-862 (Missing Authorization)
## Affected Systems
- **Products:**
- FortiAuthenticator (Identity and Access Management)
- FortiSandbox (Threat Detection)
- FortiSandbox Cloud
- FortiSandbox PaaS
- **Versions:**
- FortiAuthenticator: Versions prior to 8.0.3
- FortiSandbox: Versions prior to 5.0.2
- FortiSandbox Cloud: Versions prior to 5.0.6
- FortiSandbox PaaS: Versions prior to 5.0.2
- **Configurations:** Systems with Web UI or public-facing management interfaces exposed to network traffic.
## Vulnerability Description
This advisory covers two distinct flaws that both lead to Remote Code Execution (RCE):
1. **CVE-2026-44277 (FortiAuthenticator):** An improper access control flaw allows an unauthenticated attacker to bypass security restrictions and execute unauthorized code or commands via specially crafted network requests.
2. **CVE-2026-26083 (FortiSandbox Products):** A missing authorization vulnerability within the Web UI allows an unauthenticated attacker to send malicious HTTP requests that trigger unauthorized command execution.
## Exploitation
- **Status:** Not currently reported as exploited in the wild.
- **Complexity:** Low (Targeting public-facing applications).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Attacker can view or leak sensitive data).
- **Integrity:** High (Attacker can change/delete data or create administrative accounts).
- **Availability:** High (Attacker can install unauthorized programs or disrupt services).
## Remediation
### Patches
Fortinet recommends upgrading to the following versions:
- **FortiAuthenticator:** Update to version 8.0.3 or higher (or 7.4.7+ as updates become available).
- **FortiSandbox:** Update to version 5.0.2 or higher.
- **FortiSandbox Cloud:** Update to version 5.0.6 or higher.
- **FortiSandbox PaaS:** Update to version 5.0.2 or higher.
### Workarounds
- **Network Segmentation:** Implement strict network segmentation to limit exposure of management interfaces (MITRE M1030).
- **Least Privilege:** Ensure user accounts are configured with the minimum necessary rights to mitigate impact if an account is compromised.
- **Access Control:** Restrict Web UI access to trusted internal IP addresses only.
## Detection
- **Indicators of Compromise:** Monitor for unusual HTTP requests to the Web UI or unexpected administrative account creation.
- **Detection Methods:**
- Conduct automated vulnerability scans of externally-exposed assets (CIS Safeguard 7.6).
- Perform authenticated application penetration testing (CIS Safeguard 16.13).
- Monitor system logs for unauthorized command execution or unauthorized access to sensitive directories.
## References
- Fortinet Advisory (FortiAuthenticator): hXXps://www[.]fortiguard[.]com/psirt/FG-IR-26-136
- Fortinet Advisory (FortiSandbox): hXXps://www[.]fortiguard[.]com/psirt/FG-IR-26-128
- CVE Records:
- hXXps://www[.]cve[.]org/CVERecord?id=CVE-2026-26083
- hXXps://www[.]cve[.]org/CVERecord?id=CVE-2026-44277