Fortinet Patches Critical RCE Vulnerabilities in FortiSandbox and FortiAuthenticator
Tags Infrastructure · Enterprise
Fortinet released security updates for two critical vulnerabilities: CVE-2026-39808 (CVSS 9.8, OS command injection in FortiSandbox 4.4.0–4.4.8, public exploits available) and CVE-2026-44277 (CVSS 9.8, improper access control in FortiAuthenticator 6.5.x/6.6.x/8.0.x enabling unauthenticated RCE). FortiAuthenticator was patched in versions 6.5.7, 6.6.9, and 8.0.3. While no active exploitation was reported at disclosure, Fortinet products are frequently targeted in ransomware and cyber-espionage attacks, often as zero-days. In February, Fortinet addressed CVE-2026-21643 in FortiClient EMS, which was flagged as actively exploited one month later.
Technical significance
Fortinet products are a perennial target for both state-sponsored and financially motivated actors due to their widespread deployment in government and enterprise networks. The pattern of Fortinet zero-days being exploited before patching (CVE-2026-21643 was exploited in the wild before being flagged) means organizations should treat these patches as urgent. FortiAuthenticator's role as an IAM solution makes CVE-2026-44277 particularly dangerous — unauthenticated RCE on an identity platform can cascade into full network compromise.