11 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
Fortinet has disclosed multiple critical vulnerabilities affecting FortiAuthenticator and FortiSandbox products.
CVE-2026-44277 is an improper access control vulnerability in FortiAuthenticator that may allow an unauthenticated remote attacker to execute unauthorized code or commands through crafted requests.
CVE-2026-26083 is a missing authorization vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments. The flaw may allow unauthenticated attackers to execute unauthorized code or commands via specially crafted HTTP requests due to improper authorization enforcement.
Successful exploitation of these vulnerabilities could result in compromise of authentication infrastructure, sandbox environments, administrative interfaces, and broader security management systems within affected organizations.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Improper Access Control Vulnerability in FortiAuthenticator
CVSS Score: (9.1, Critical CVSS v3.1)
Identifier: CVE-2026-44277
PoC or Exploitation:
There were no confirmed reports of active exploitation in the wild and no validated public proof-of-concept exploit code.
Update/ Patch:
Fortinet has released fixes for this vulnerability.
Affected versions include:
- FortiAuthenticator versions before 6.5.7
- FortiAuthenticator versions before 6.6.9
- FortiAuthenticator versions before 8.0.3
Fixed versions include:
- FortiAuthenticator 6.5.7 or later
- FortiAuthenticator 6.6.9 or later
- FortiAuthenticator 8.0.3 or later
Not affected:
FortiAuthenticator Cloud, formerly FortiTrust Identity
Fortinet advisory and patch guidance:
Description:
CVE-2026-44277 is an improper access control vulnerability affecting FortiAuthenticator.
The vulnerability may allow an unauthenticated remote attacker to execute unauthorized code or commands on vulnerable systems through crafted requests.
Mitigation Recommendation:
Immediately upgrade FortiAuthenticator deployments to the fixed versions provided by Fortinet.
Prioritize patching internet-facing and externally accessible FortiAuthenticator systems.
Restrict administrative access to trusted management networks where operationally feasible.
Monitor systems for suspicious authentication activity, unexpected administrative actions, or anomalous process execution.
Missing Authorization Vulnerability in FortiSandbox
CVSS Score: 9.1 (Critical, CVSS v3.1)
Identifier: CVE-2026-26083
PoC or Exploitation:
Public proof-of-concept exploit code is available as part of the "Dirty Frag" exploitation chain. There are confirmed reports of active exploitation in the wild.
Update/ Patch:
Fortinet has released security advisory guidance for this vulnerability.
Affected versions include:
- FortiSandbox 5.0
5.0.0 through 5.0.1
Upgrade to 5.0.2 or above
- FortiSandbox 4.4
4.4.0 through 4.4.8
Upgrade to 4.4.9 or above - FortiSandbox Cloud 24
All versions
Migrate to a fixed release - FortiSandbox Cloud 23
All versions
Migrate to a fixed release - FortiSandbox Cloud 5.0
5.0.2 through 5.0.5
Upgrade to 5.0.6 or above - FortiSandbox PaaS 23.4
All versions
Migrate to a fixed release - FortiSandbox PaaS 23.3
All versions
Migrate to a fixed release - FortiSandbox PaaS 23.1
All versions
Migrate to a fixed release - FortiSandbox PaaS 22.2
All versions
Migrate to a fixed release - FortiSandbox PaaS 22.1
All versions
Migrate to a fixed release - FortiSandbox PaaS 21.4
All versions
Migrate to a fixed release - FortiSandbox PaaS 21.3
All versions
Migrate to a fixed release - FortiSandbox PaaS 5.0
5.0.0 through 5.0.1
Upgrade to 5.0.2 or above - FortiSandbox PaaS 4.4
4.4.5 through 4.4.8
Upgrade to 4.4.9 or above
Fortinet advisory and patch guidance:
Description:
CVE-2026-26083 is a critical missing authorization vulnerability affecting multiple FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments.
Successful exploitation may allow an unauthenticated remote attacker to execute unauthorized code or commands via specially crafted HTTP requests due to improper authorization enforcement mechanisms within the affected products.
Mitigation Recommendation:
Immediately review and apply Fortinet-recommended upgrades or migrate affected cloud and PaaS deployments to fixed releases.
Prioritize remediation of internet-facing or externally accessible FortiSandbox management interfaces.
Restrict administrative access to trusted internal networks and enforce segmentation for management interfaces where operationally feasible.
Review firewall policies and disable unnecessary external exposure to FortiSandbox services.
Monitor systems and logs for suspicious HTTP requests, unauthorized administrative actions, unexpected process execution, or anomalous outbound connections.
