fortinet - TrustStrike Labs

vulnerability

CVE-2026-26083 CVE-2026-44277

2026-05-13

Fortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)

Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.

fortinet fortisandbox fortiauthenticator unauth-rce cvss-9-1 iam sandbox critical

Check: Inventory FortiAuthenticator and FortiSandbox versions. Confirm management UIs aren't internet-reachable. Check logs for unfamiliar admin sessions since early May.
Affected: FortiAuthenticator before 6.5.7, 6.6.9, 8.0.3. FortiSandbox 5.0.0-5.0.1, 4.4.0-4.4.8. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.
Fix: Upgrade FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3. Upgrade FortiSandbox to 5.0.2+, 4.4.9+, or 5.0.6+ (Cloud). Restrict management UIs to trusted IPs.

vulnerability

CVE-2026-39808

2026-04-17

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

fortinet fortisandbox rce poc unauthenticated day-after-recovery

Check: If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected: Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix: Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.

vulnerability

CVE-2026-35616

2026-04-05

Second FortiClient EMS zero-day in two weeks - emergency patch for pre-auth API bypass, actively exploited (CVE-2026-35616)

If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.

fortinet forticlient-ems zero-day pre-auth actively-exploited emergency-patch

Check: If you run FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency - apply the hotfix now, not after the holiday.
Affected: FortiClient EMS 7.4.5 and 7.4.6 only. The 7.2 branch and FortiEMS Cloud are not affected.
Fix: Apply the emergency hotfix for your version immediately: hotfix for 7.4.5 or hotfix for 7.4.6 (see Fortinet release notes). Upgrade to 7.4.7 when available. Restrict the EMS web interface to management VLANs only. Review logs for unusual API requests since March 31.

vulnerability

CVE-2026-21643

2026-03-30

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

fortinet forticlient-ems sql-injection rce actively-exploited

Check: Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected: FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix: Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.