Fortinet fixes two critical RCE flaws in FortiAuthenticator and FortiSandbox
Summary
Fortinet has released patches for two critical remote code execution (RCE) vulnerabilities affecting FortiAuthenticator and FortiSandbox. These flaws, tracked as CVE-2026-44277 and CVE-2026-26083 respectively, both have a CVSS score of 9.1 and allow unauthenticated attackers to execute arbitrary code.
IFF Assessment
The discovery and patching of critical RCE vulnerabilities in widely used security products represent a significant risk to organizations, as exploitation could lead to widespread compromise.
Severity
Both vulnerabilities are rated 9.1, indicating a critical severity. They allow unauthenticated attackers to execute arbitrary code remotely via crafted requests, posing a high risk of system compromise.
CISA KEV: Listed as actively exploited. Federal patch due: April 16, 2026. Known ransomware use: Unknown.
Defender Context
Defenders should prioritize patching FortiAuthenticator and FortiSandbox deployments immediately due to the critical RCE vulnerabilities. Fortinet products are frequently targeted by threat actors, and exploitation of these flaws could grant attackers significant access and a head start in compromising networks.