RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: fortisandbox (2 articles)Clear
vulnerability
CVE-2026-26083CVE-2026-44277
2026-05-13

Fortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)

Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.

fortinetfortisandboxfortiauthenticatorunauth-rcecvss-9-1iamsandboxcritical
Check
Inventory FortiAuthenticator and FortiSandbox versions. Confirm management UIs aren't internet-reachable. Check logs for unfamiliar admin sessions since early May.
Affected
FortiAuthenticator before 6.5.7, 6.6.9, 8.0.3. FortiSandbox 5.0.0-5.0.1, 4.4.0-4.4.8. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.
Fix
Upgrade FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3. Upgrade FortiSandbox to 5.0.2+, 4.4.9+, or 5.0.6+ (Cloud). Restrict management UIs to trusted IPs.
vulnerability
CVE-2026-39808
2026-04-17

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

fortinetfortisandboxrcepocunauthenticatedday-after-recovery
Check
If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected
Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix
Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.