Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: fortinet (10 articles)Clear

FortiBleed leak exposes VPN credentials for nearly 74,000 Fortinet firewalls

A newly surfaced dataset dubbed FortiBleed exposes what appear to be Fortinet and FortiGate VPN credentials tied to 73,932 firewall URLs at organizations around the world. Separately, researchers at SOCRadar report roughly 30,000 compromised Fortinet firewalls exposing networks to attack. Exposed VPN credentials are a direct route into corporate networks, letting attackers log in as legitimate users, bypass perimeter defenses, and stage ransomware or data theft. Fortinet gear is a perennial target, with many of these exposures stemming from past unpatched flaws and credential harvesting. Organizations cannot assume old Fortinet credentials are safe just because devices were later patched.

Check
Check whether your Fortinet or FortiGate VPN appliances appear in the exposed dataset, review VPN authentication logs for logins from unfamiliar locations, and confirm whether previously exposed devices were fully remediated.
Affected
Organizations running internet-facing Fortinet and FortiGate VPNs whose credentials appear among the 73,932 exposed firewall URLs; reused or never-rotated VPN passwords are most at risk.
Fix
Force-reset all Fortinet VPN credentials, enable phishing-resistant MFA on VPN access, restrict management interfaces, and fully patch or replace appliances, treating any potentially exposed device as compromised until verified.

Attackers now exploiting three critical FortiSandbox flaws, one with AI-built exploit

Threat-intelligence firm Defused reports that attackers are now exploiting three critical flaws in Fortinet's FortiSandbox, the appliance other Fortinet products rely on to judge whether files are malicious. Two (CVE-2026-39813, a JRPC API path traversal that bypasses authentication, and CVE-2026-39808, an unauthenticated command-injection that runs code as root) were patched in April; the third (CVE-2026-25089) only last week. All are unauthenticated and rated critical. Compromising a sandbox is especially dangerous because attackers can make it wave real malware through as clean. Notably, the exploit for one flaw appears to have been generated with AI and is likely faulty, yet attackers are trying it anyway.

Check
Identify FortiSandbox, FortiSandbox Cloud, and PaaS instances and their versions, confirm whether the web and JRPC API interfaces are reachable from untrusted networks, and review logs for unauthenticated command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that are unpatched against CVE-2026-39813, CVE-2026-39808, or CVE-2026-25089, especially instances exposed to untrusted networks; all three need no authentication.
Fix
Upgrade FortiSandbox to the fixed releases for all three CVEs immediately, restrict management and API interfaces to trusted networks, and treat any unpatched appliance as potentially compromised pending review.

Critical FortiSandbox flaw lets unauthenticated attackers run commands

Fortinet has patched a critical flaw in FortiSandbox, the appliance that detonates suspicious files and feeds malware verdicts to the rest of a Fortinet security deployment. The bug (CVE-2026-25089, rated 9.8) is an OS command injection in the web interface that lets a remote, unauthenticated attacker run arbitrary commands by sending crafted HTTP requests. Compromising a sandbox is especially dangerous because attackers can both pivot deeper into the network and blind the very system meant to catch malware. Fixed versions are FortiSandbox 5.0.6 and 4.4.9, with matching updates for the Cloud and PaaS editions.

Check
Identify FortiSandbox appliances and their version and whether the web interface is reachable from untrusted networks, and review HTTP and admin logs for unexpected command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces before the fixed releases (CVE-2026-25089), reachable by remote unauthenticated attackers over HTTP.
Fix
Upgrade FortiSandbox to 5.0.6 or 4.4.9 (and the matching Cloud and PaaS releases) now, and restrict management-interface access to trusted networks until patched.

FortiClient EMS CVE-2026-35616 actively exploited to deploy EKZ infostealer - disguised as endpoint update via VPN scripting

Arctic Wolf has observed active exploitation of CVE-2026-35616, an authentication-bypass flaw in FortiClient Enterprise Management Server (EMS), to deliver an undocumented credential stealer called EKZ. Attackers abuse the endpoint APIs to perform administrative actions without authentication, then modify EMS configuration and VPN policies to inject malicious scripts. Seconds after endpoints establish an IPsec tunnel to a Fortinet-managed gateway, EKZ is pushed disguised as an endpoint update via VPN scripting workflows. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April and CISA ordered federal agencies to patch the same week; Shadowserver tracked 2,000 internet-exposed EMS instances at the time.

Check
Inventory FortiClient EMS deployments and confirm patch level. Search for unauthorized EMS configuration or VPN policy changes since early April. Look for EKZ stealer behavior on endpoints.
Affected
FortiClient EMS versions before the 7.4.5 and 7.4.6 hotfixes. Internet-exposed instances are at highest risk; Shadowserver counted 2,000 exposed in April when CISA mandated federal patching.
Fix
Apply the Fortinet hotfixes. Audit EMS admin actions and VPN policy modifications since April. Rotate credentials and certificates that EMS managed. Apply Arctic Wolf EKZ IoCs.

Critical patches from Ivanti, Fortinet, SAP, VMware Fusion, and n8n - RCE, SQL injection, prototype pollution

A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.

Check
Pull the installed-version list for FortiAuthenticator, FortiSandbox/Cloud/PaaS, SAP S/4HANA, SAP Commerce, Ivanti Xtraction, VMware Fusion, and self-hosted n8n. Compare against the fixed versions in action_solution.
Affected
FortiAuthenticator before 6.5.7/6.6.9/8.0.3; FortiSandbox before 4.4.9/5.0.2; SAP S/4HANA, SAP Commerce, Ivanti Xtraction before 2026.2; VMware Fusion before 26H1; n8n before 1.123.32/2.17.4/2.18.1.
Fix
Upgrade FortiAuthenticator to 6.5.7/6.6.9/8.0.3, FortiSandbox to 4.4.9/5.0.2, Ivanti Xtraction to 2026.2, VMware Fusion to 26H1, and n8n to 1.123.32/2.17.4/2.18.1. Apply SAP's May notes for CVE-2026-34260 and CVE-2026-34263.

Backend of 'The Gentlemen' ransomware operation leaked - 9 named operators, ransom chat transcripts, and chain-victimization tactics now public

The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.

Check
Pull historical access logs for Fortinet and Cisco edge appliances and check for credentials matching infostealer log dumps, then hunt for NTLM relay activity consistent with CVE-2025-33073 in Windows event logs.
Affected
Organizations exposed to The Gentlemen include any running FortiGate or Cisco edge gear with CVE-2024-55591, CVE-2025-32433, or CVE-2025-33073 unpatched, and downstream clients of compromised IT service providers.
Fix
Patch CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Enforce MFA on every edge-management interface, rotate credentials that appear in infostealer logs, and load Check Point's 'Thus Spoke The Gentlemen' IoCs into your EDR and firewall blocklists.

Fortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)

Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.

Check
Inventory FortiAuthenticator and FortiSandbox versions. Confirm management UIs aren't internet-reachable. Check logs for unfamiliar admin sessions since early May.
Affected
FortiAuthenticator before 6.5.7, 6.6.9, 8.0.3. FortiSandbox 5.0.0-5.0.1, 4.4.0-4.4.8. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.
Fix
Upgrade FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3. Upgrade FortiSandbox to 5.0.2+, 4.4.9+, or 5.0.6+ (Cloud). Restrict management UIs to trusted IPs.

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

Check
If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected
Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix
Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.

Second FortiClient EMS zero-day in two weeks - emergency patch for pre-auth API bypass, actively exploited (CVE-2026-35616)

If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.

Check
If you run FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency - apply the hotfix now, not after the holiday.
Affected
FortiClient EMS 7.4.5 and 7.4.6 only. The 7.2 branch and FortiEMS Cloud are not affected.
Fix
Apply the emergency hotfix for your version immediately: hotfix for 7.4.5 or hotfix for 7.4.6 (see Fortinet release notes). Upgrade to 7.4.7 when available. Restrict the EMS web interface to management VLANs only. Review logs for unusual API requests since March 31.

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

Check
Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected
FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix
Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.