HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Remote Code Execution in FortiAuthenticator (CVE‑2026‑44277) and FortiSandbox (CVE‑2026‑26083) Threatens Enterprise Security

Fortinet has patched two critical flaws—CVE‑2026‑44277 in FortiAuthenticator and CVE‑2026‑26083 in FortiSandbox—that allow unauthenticated attackers to execute arbitrary code. The vulnerabilities affect on‑premises versions still in widespread use, creating a high‑risk supply‑chain vector for organizations that rely on Fortinet security appliances.

LiveThreat™ Intelligence · 📅 May 13, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Critical Remote Code Execution in FortiAuthenticator (CVE‑2026‑44277) & FortiSandbox (CVE‑2026‑26083) Threatens Enterprise Security

What It Is – Fortinet disclosed two critical vulnerabilities affecting its FortiAuthenticator and FortiSandbox product lines. CVE‑2026‑44277 is an improper access‑control flaw that lets an unauthenticated attacker execute arbitrary commands on FortiAuthenticator. CVE‑2026‑26083 is a missing‑authorization issue in the FortiSandbox web UI that also enables remote code execution.

Exploitability – Both flaws are unexploited in the wild to date. Proof‑of‑concept requests have been published by Fortinet’s own research team, and the CVSS v3.1 scores are 9.8 (Critical) for each vulnerability.

Affected Products

| Product | Affected Versions | Fixed Version |

|---------|-------------------|----------------|

| FortiAuthenticator | 8.0‑8.0.2, 8.0‑8.0.0, 6.6.0‑6.6.8, 6.5.0‑6.5.6 | 8.0.3+, 6.6.9+, 6.5.7+ |

| FortiSandbox (incl. Cloud & PaaS) | All on‑premises releases prior to the May 2026 patch | Updated releases (see Fortinet advisory) |

The vulnerability does not affect FortiAuthenticator Cloud.

TPRM Impact – The flaws give attackers a direct foothold into network‑security appliances that many third‑party vendors rely on for segmentation, malware analysis, and authentication. A compromised FortiAuthenticator can expose credential stores, while a breached FortiSandbox can be used to pivot into downstream services, creating a supply‑chain risk for any organization that outsources security operations to a Fortinet‑managed environment.

Recommended Actions

  • Patch immediately – Deploy FortiOS/ FortiAuthenticator 8.0.3+ / 6.6.9+ / 6.5.7+ and the latest FortiSandbox release.
  • Validate version inventory – Run automated asset discovery to confirm no legacy versions remain in production.
  • Isolate and monitor – Until patches are applied, segment FortiAuthenticator/Sandbox from critical assets and enable strict logging of all HTTP requests to the UI.
  • Review third‑party contracts – Ensure service providers using Fortinet appliances have applied the patches and can provide proof of remediation.
  • Update incident‑response playbooks – Add these CVEs to your vulnerability‑management and supply‑chain risk registers.

Source: SecurityAffairs – Critical Fortinet vulnerabilities fixed in FortiSandbox and FortiAuthenticator

📰 Original Source
https://securityaffairs.com/192047/security/critical-fortinet-vulnerabilities-fixed-in-fortisandbox-and-fortiauthenticator.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →