Fortinet Patches Critical Flaws Allowing Unauthenticated RCE in FortiSandbox and FortiAuthenticator
The updates cut off paths for remote code execution that could let attackers take over key security gear.
Overview
- Fortinet released fixes for two critical bugs that allow code or command execution without logging in, identified as CVE-2026-26083 in FortiSandbox and CVE-2026-44277 in FortiAuthenticator.
- The FortiSandbox issue stems from missing authorization in the web interface, including FortiSandbox Cloud and PaaS, which could be triggered with crafted HTTP requests.
- The FortiAuthenticator flaw is an improper access control error that could let an attacker run unauthorized commands through crafted requests.
- Fortinet said FortiAuthenticator Cloud is not affected and published fixed versions for on‑premises releases, while reporting no confirmed exploitation of either flaw to date.
- Security researchers note Fortinet products are frequent targets, with CISA tracking dozens of past Fortinet bugs as actively exploited, which raises the urgency for fast patching.