Fortinet Patched Pre-Auth RCE in FortiSandbox and FortiAuthenticator Today. The Last One We Tracked Hit CISA KEV in Sixty Days. Patch This Week.

Two pre-authentication remote code execution vulnerabilities in Fortinet products were patched today, May 13, 2026. Either one would be a P1 incident on its own. Together they are the entire core of a defensive posture going from useful to compromised in one TCP connection.

The first is CVE-2026-44277, a pre-auth RCE in FortiAuthenticator, Fortinet's identity and access management appliance — the box that issues authentication tokens, federates with your SSO, and stamps "approved" on every login that downstream systems trust. Fortinet's advisory FG-IR-26-128 describes it as an improper access control flaw that lets an unauthenticated attacker execute arbitrary code or commands via crafted requests. Fixed in versions 6.5.7, 6.6.9, and 8.0.3. FortiAuthenticator Cloud — the IDaaS variant — is unaffected. Everyone else on FortiAuthenticator who has not patched today is operating an appliance that can be remotely commandeered without a login.

The second is CVE-2026-26083, a pre-auth RCE in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS — Fortinet's malware-detonation appliance, the box your network sends suspicious files to be inspected. The flaw is a missing authorization check on the Web UI's HTTP request handling. An unauthenticated attacker reaches the management plane of the appliance that decides whether files are malicious. Patches are out today.

Neither vulnerability has confirmed in-the-wild exploitation as of this writing. That is the window.

The receipt — why we are not telling you to wait until next maintenance window

We have thirty-eight prior posts on Fortinet vulnerabilities in our archive. The most operationally relevant ones for today's posture decision are from February through April 2026.

On February 24, 2026, we documented an SQL injection pattern affecting FortiClient Endpoint Management Server. We were alerting on the exact pattern weeks before any major vendor advisory referenced it. On April 14, CISA added the EMS flaw to the Known Exploited Vulnerabilities catalog. On April 15, we wrote the post titled "CISA Added Fortinet EMS to KEV Yesterday. We Wrote About It in February." On April 16, CISA's mandatory patch deadline arrived, and we posted "CISA's Fortinet Deadline Is Today. We've Been Alerting On The Exact SQL Pattern For Weeks."

The compressed timeline: vulnerability surfaces, our archive picks up the pattern, CISA KEV adds it inside two months, federal mandatory patching follows in days. That is the cadence Fortinet vulnerabilities operate on. Six to ten weeks from disclosure to CISA-mandated patching is not the worst case; it is the average case for Fortinet pre-auth bugs over the last eighteen months.

Today's two CVEs sit at day zero of that timeline.

Why these two appliances specifically matter more than the average pre-auth RCE

FortiSandbox is where untrusted files go to be examined. The compromise pattern, if either of these vulnerabilities gets weaponized before patching: an attacker reaches the sandbox management plane, observes every file your organization has flagged as suspicious in the recent past, modifies verdict outputs to mark malicious files as clean, and plants persistent artifacts on the appliance that downstream systems trust as authoritative. The box that inspects your malware becomes the box that hides their malware.

FortiAuthenticator is where identity gets minted. The compromise pattern: an attacker reaches the appliance management plane, forges authentication tokens, federates those tokens into your SSO chain, and impersonates any user the appliance trusts — which is every user the appliance issues tokens for. The downstream blast radius is whatever systems your IdP fronts. For most organizations that runs FortiAuthenticator, that is everything from email to VPN to internal applications.

Pre-authentication remote code execution on a security appliance is the worst class of bug for defender posture. Most enterprise vulnerability triage logic assumes that an attacker has to compromise something else first to reach the box that issues your identity or examines your malware. Pre-auth RCE breaks that assumption. The attacker reaches the most-trusted box directly.

What to do this week

Three steps, in order of speed.

First, identify every FortiSandbox and FortiAuthenticator instance in your environment and verify whether its Web UI is internet-accessible. If yes, the patching priority is today, not this maintenance window. If no — and only if no — the priority is this week.

Second, apply the patches: FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3 depending on your major version line; FortiSandbox to whatever fixed version line your deployment targets per the today's advisory. Fortinet PSIRT publishes the per-version mapping.

Third, hunt your egress logs and management-plane access logs for the previous thirty days for unusual administrative-shape requests against either appliance. There is no public exploitation indicator yet, but pre-auth RCEs in security appliances often turn out to have been used quietly before disclosure, and you want to know now rather than via incident response later.

Where we sit

Two CVEs into our adversaries-and-CVE tracking today. Our STIX feed will carry any indicators that surface as exploitation attempts get reported. Subscribers will see them at the same time we see them; the free tier at ten queries per day is sufficient to keep a small SOC on the cadence.

Fortinet's track record means the clock starts now. Better to be early this week than mandated next month.

— Patrick Duggan, May 13, 2026

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com