What Happened
Fortinet issued emergency security advisories on May 12, 2026, for two critical vulnerabilities in FortiSandbox and FortiAuthenticator, both rated CVSS 9.1.
CVE-2026-26083 affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The flaw is a missing authorization vulnerability in the web UI. A remote, unauthenticated attacker can send crafted HTTP requests to execute arbitrary code or commands on the affected appliance. Fixes are available in FortiSandbox 5.0.2 and 4.4.9.
CVE-2026-44277 affects FortiAuthenticator on-premises. The flaw is an improper access control issue caused by insufficient authorization checks. A remote, unauthenticated attacker can send specially crafted requests to execute code or commands on the appliance. FortiAuthenticator Cloud is confirmed unaffected. Fixes are available in FortiAuthenticator 6.5.7, 6.6.9, and 8.0.3.
Fortinet states it is not aware of active exploitation of either vulnerability at the time of disclosure. No public proof-of-concept code has been released.
Why This Matters for Canadian Organizations
Fortinet is one of the most pervasive security vendors in Canadian enterprise and government environments. FortiSandbox is deployed as a malware analysis and threat detonation platform at the perimeter of many Canadian financial institutions, government departments, healthcare organizations, and critical infrastructure operators. FortiAuthenticator is the identity and MFA layer for those same environments — it manages authentication for FortiGate firewalls, SSL VPNs, and network access control systems.
An unauthenticated RCE in FortiSandbox means an attacker who reaches the management interface — or bypasses network segmentation — can execute code in the security platform itself. From there, attackers gain access to detonation analysis results, sandbox evasion intelligence, and potentially lateral paths into the broader network management plane.
An unauthenticated RCE in FortiAuthenticator is more directly critical: it sits in the authentication path for everything behind it. Compromise gives attackers the ability to issue false authentication responses, intercept MFA tokens, or establish persistent access to network infrastructure that depends on FortiAuthenticator for access control.
Fortinet vulnerabilities have been among the most actively exploited in Canada over the past 18 months. CVE-2026-35616 in FortiClient EMS was added to CISA’s KEV catalog in April 2026. Canadian Security Centre (CSE) advisories have repeatedly flagged Fortinet appliances as priority targets for nation-state and ransomware actors. The absence of confirmed exploitation today does not reflect the speed at which Fortinet flaws move from disclosure to weaponization.
What to Do
Patch immediately. Update FortiSandbox to 5.0.2 or 4.4.9, and FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3, depending on your deployment version. Both patches are available through the Fortinet Support portal.
Restrict management interface access. FortiSandbox and FortiAuthenticator management consoles should never be reachable from untrusted networks. If your deployment exposes either appliance’s admin interface to the internet or a broad internal segment, tighten access control rules now as an interim measure.
Review audit logs on both appliances for anomalous unauthenticated requests, unexpected HTTP methods, or command execution artifacts. If you use a SIEM, build detection rules for HTTP 200 responses to unusual paths on FortiSandbox and FortiAuthenticator endpoints.
Source: BleepingComputer
