Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator

Fortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems. The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3. "An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests," Fortinet said in a Tuesday advisory. The company added that FortiAuthenticator Cloud (formerly known as FortiTrust Identity), an Identity and Access Management as a Service (IDaaS) cloud service hosted and managed by Fortinet, is not impacted by the issue. Today, Fortinet also addressed a missing authorization weakness (CVE-2026-26083) that can be exploited to achieve remote code execution on vulnerable FortiSandbox systems designed to protect against malicious activity, including zero-day threats. "A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests," it added. While the company didn't tag these two security flaws as being exploited in the wild, Fortinet vulnerabilities are frequently exploited in ransomware and cyber-espionage attacks, often as zero-...