Fortinet patches FortiSandbox RCE flaws

Fortinet published two new security advisories this week covering code-execution risks in products that often sit close to authentication and malware-analysis workflows. A May 12 advisory covers FortiAuthenticator, and a May 13 advisory covers FortiSandbox, according to Fortinet’s Product Security Incident Response Team pages. The FortiAuthenticator issue is tracked as CVE-2026-44277 and is rated critical with a CVSSv3 score of 9.1, Fortinet said. The FortiSandbox issue is described as an OS command injection flaw in GUI backup options that could let an authenticated privileged attacker execute unauthorized code or commands through crafted HTTP or HTTPS requests. CISA’s Known Exploited Vulnerabilities program does not, based on the catalog pages available on May 14, show these two newly published flaws as listed entries. (fortiguard.fortinet.com) CISA says organizations should use the KEV catalog as an input to vulnerability-management prioritization and should prioritize remediation of listed flaws because they are tied to active exploitation. ### Which Fortinet products were patched, and on what dates? Fortinet said the FortiAuthenticator advisory was initially published on May 12, 2026, under IR number FG-IR-26-128. (fortiguard.fortinet.com) The company said the flaw affects API endpoints and may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Fortinet said the FortiSandbox advisory was initially published on May 13, 2026, under IR number FG-IR-25-454. (cisa.gov) The company described that issue as an OS command injection vulnerability in the FortiSandbox GUI backup options. ### How severe are the flaws, and who can exploit them? CVE-2026-44277 in FortiAuthenticator is marked “Critical,” carries a 9.1 CVSSv3 score, and is classified by Fortinet as an unauthenticated attack, the advisory says. (fortiguard.fortinet.com) Fortinet also said the issue was internally discovered as part of a company audit and marked “Known Exploited: No.” The FortiSandbox flaw does not show a CVSS score in the excerpt available through Fortinet’s PSIRT page, but the company said exploitation requires an authenticated privileged attacker. (fortiguard.fortinet.com) Fortinet credited Théo Leleu of the Fortinet Product Security team with discovering and reporting that issue internally. ### Which versions need updates right now? Fortinet said affected FortiAuthenticator versions include 8.0.0 and 8.0.2, which should be upgraded to 8.0.3 or later; 6.6.0 through 6.6.8, which should be upgraded to 6.6.9 or later; and 6.5.0 through 6.5.6, which should be upgraded to 6.5.7 or later. (fortiguard.fortinet.com) FortiAuthenticator Cloud is not impacted, the advisory says. Fortinet said affected FortiSandbox versions include 5.0.0 through 5.0.2, which should be upgraded to 5.0.3 or later, and 4.4.0 through 4.4.7, which should be upgraded to 4.4.8 or later. (fortiguard.fortinet.com) The advisory says FortiSandbox 4.2 and 4.0 users should migrate to a fixed release. ### Is there a workaround if teams cannot patch immediately? Fortinet said administrators can disable API access for exposed interfaces in FortiAuthenticator through Network, Interfaces, and Access Rights. (fortiguard.fortinet.com) The company presented that step as a workaround for CVE-2026-44277. For FortiSandbox Cloud 24.1, Fortinet said it remediated the issue in version 24.2 and that customers do not need to take action. The advisory also says FortiSandbox Cloud 5.0 and 4.4 are not affected. (fortiguard.fortinet.com) ### Are these flaws in CISA’s known-exploited catalog? CISA’s public KEV catalog page says the list is the authoritative source for vulnerabilities known to have been exploited in the wild and that federal civilian agencies must remediate listed issues within set deadlines. (fortiguard.fortinet.com) The catalog excerpts available on May 14 did not show entries for CVE-2026-44277 or the FortiSandbox advisory FG-IR-25-454. CISA also says private-sector and state and local organizations should immediately address KEV-listed vulnerabilities as part of their vulnerability-management plans. (fortiguard.fortinet.com) That guidance is broader than these Fortinet advisories, but it sets the benchmark many defenders use when deciding emergency patch order. ### What should defenders watch next? Fortinet’s next public milestone is straightforward: customers need to move to the fixed versions listed in the PSIRT advisories and apply the FortiAuthenticator workaround if patching cannot happen immediately. (cisa.gov) The company’s advisory pages are where version guidance and any later revisions will appear. (fortiguard.fortinet.com) (cisa.gov)