Fortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)

Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.

Check

Inventory FortiAuthenticator and FortiSandbox versions. Confirm management UIs aren't internet-reachable. Check logs for unfamiliar admin sessions since early May.

Affected

FortiAuthenticator before 6.5.7, 6.6.9, 8.0.3. FortiSandbox 5.0.0-5.0.1, 4.4.0-4.4.8. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.

Fix

Upgrade FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3. Upgrade FortiSandbox to 5.0.2+, 4.4.9+, or 5.0.6+ (Cloud). Restrict management UIs to trusted IPs.