- Red plus Blue makes Purple!/
- Active Vulnerability List/
- 2026/
- CVE-2026-44277 | FortiAuthenticator | RCE/
CVE-2026-44277 | FortiAuthenticator | RCE
| Field | Details |
|---|---|
| Vulnerability | CVE-2026-44277 |
| Affected Product | Fortinet FortiAuthenticator (Identity and Access Management appliance — RADIUS, LDAP, SAML, SSO, MFA broker). Per Fortinet PSIRT advisory FG-IR-26-128, vulnerable versions are: FortiAuthenticator 8.0.0 and 8.0.2, FortiAuthenticator 6.6.0 through 6.6.8, and FortiAuthenticator 6.5.0 through 6.5.6. FortiAuthenticator Cloud (formerly FortiTrust Identity) is NOT impacted and requires no action from cloud customers. |
| Type | Improper Access Control on API endpoints leading to unauthenticated remote code/command execution. Per Fortinet’s advisory title: “Improper access control on API endpoints.” |
| CWE | CWE-284: Improper Access Control, as assigned by Fortinet, Inc. (CNA) on the FG-IR-26-128 advisory. |
| Description | Per Fortinet’s FG-IR-26-128 advisory verbatim: “An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” The bug resides in the API component of FortiAuthenticator and enables a remote, unauthenticated attacker to reach functionality that should require authentication, leading to arbitrary code or command execution on the appliance. Fortinet states the issue was internally discovered during a Fortinet audit and, at the time of advisory publication (2026-05-12), was not known to be actively exploited in the wild. |
| Severity | CVSS v3.1: 9.1 Critical per Fortinet’s advisory. The base vector published by Fortinet is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (base score 9.8), with temporal modifiers E:F/RL:O/RC:C (Functional exploit code maturity, Official Fix available, Confirmed report confidence) reducing the score to the published 9.1. CVSS v4.0: Not assigned by Fortinet at time of writing. |
| Root Cause | Insufficient authorization checks on API endpoints exposed by the FortiAuthenticator appliance. The vulnerable endpoints accept and act on requests without verifying the requester’s authentication or authorization state, allowing a network-positioned attacker to reach functionality that should be gated. Fortinet’s advisory names the component as “API” but does not publicly disclose the specific endpoint path, parameter, request method, or the exact command/code execution sink reached after the access control bypass. Specific vulnerable API endpoint and exploitation primitive not publicly disclosed by Fortinet. A GitHub repository claiming to provide a PoC for this CVE has been mentioned in third-party coverage (aiutocomputerhelp.it), but its authenticity and quality have not been independently validated in vendor channels. |
| Attack Vector | Network (AV:N). Exploitation occurs over the network against the FortiAuthenticator’s API interface. No physical or local access is required; the attacker need only reach the appliance’s API endpoint over IP. Internet-exposed FortiAuthenticator instances are directly at risk; internal-only deployments are exposed to attackers who have already obtained network access by another means. |
| Privileges Required | None (PR:N) per the CVSS vector. Fortinet explicitly identifies the attack type as “Unauthenticated” in the advisory metadata. No credentials, tokens, or session cookies are required prior to exploitation. |
| User Interaction | None (UI:N) per the CVSS vector. No victim or operator action is required — the attacker sends the crafted request directly to the API and the appliance processes it. |
| Impact | Execute unauthorized code or commands on the FortiAuthenticator appliance, per Fortinet’s “Impact” field in the advisory. CVSS shows High Confidentiality, Integrity, and Availability impact (C:H/I:H/A:H). The strategic impact is amplified because FortiAuthenticator is the identity broker for the entire enterprise — it sits on the trust path for RADIUS, LDAP, SAML federation, single sign-on, and multi-factor authentication. A compromised FortiAuthenticator allows the attacker to observe authentication flows, manipulate authentication decisions, harvest credentials and tokens, bypass or weaken MFA, and forge identity assertions that downstream applications trust. |
| Why the Bug Matters | This is not a vulnerable web server somewhere on the network — this is a vulnerable identity broker that other systems are configured to trust. Per aiutocomputerhelp.it, the relevant framing is: “If an authentication system is compromised, the problem is not just the vulnerable machine — it becomes the chain of trust that machine represents.” Compromise of the IAM appliance gives the attacker a privileged position above the network’s authentication plane, enabling silent observation of all SSO traffic, modification of MFA enrollment, and potential impersonation of any identity the appliance brokers. Combined with the unauthenticated remote attack vector, this is a high-value target for both ransomware operators (who use Fortinet appliances as entry points historically) and state-aligned actors. Per BleepingComputer: CISA has added 24 Fortinet vulnerabilities to its KEV catalog in recent years, 13 of which were abused in ransomware. Fortinet’s pattern of internally discovered bugs being weaponized within weeks (e.g., CVE-2026-21643 FortiClient EMS exploited one month after disclosure) makes the n-day window for CVE-2026-44277 small. |
| Execution Flow | 1. Attacker identifies an internet-exposed or network-accessible FortiAuthenticator appliance running a vulnerable version (8.0.0, 8.0.2, 6.6.0–6.6.8, or 6.5.0–6.5.6). 2. Attacker sends a crafted HTTP/HTTPS request to a vulnerable API endpoint on the appliance — without supplying any credentials or session tokens. 3. The appliance’s API handler fails to enforce the required access control check and processes the request as if authorized. 4. The processed request reaches a code or command execution sink, resulting in attacker-controlled code or commands running on the appliance. 5. Attacker leverages the code execution to establish persistence on the IAM appliance, harvest credentials, tokens, and configuration data, and manipulate authentication flows for downstream applications that trust this FortiAuthenticator instance. Steps 2–4 are abstracted because Fortinet has not publicly disclosed the specific endpoint or primitive. |
| Threat Model / Abuse Scenarios | - Internet-exposed FortiAuthenticator instances providing SSO portals or RADIUS-over-internet — direct unauthenticated compromise - Post-perimeter pivot to identity — attacker with internal network access targets FortiAuthenticator to elevate from “in the network” to “controls the authentication plane” - Ransomware staging — IAM compromise enables silent credential harvest, lateral movement to Tier-0 identity systems (Active Directory, Entra ID federation), and broad domain access before ransomware deployment - MFA bypass at scale — attacker manipulates FortiAuthenticator’s MFA enforcement or enrollment to defeat MFA protections across the enterprise - SSO/SAML assertion forgery — compromised FortiAuthenticator can be used to mint identity assertions trusted by downstream SaaS applications, expanding blast radius beyond the corporate network |
| Detection Opportunities | - FortiAuthenticator system logs and API access logs: monitor for HTTP requests to API endpoints from unexpected source IPs, particularly internet-origin requests if the appliance should be internal-only - FortiAuthenticator shell access / process telemetry: detect unexpected processes or shell commands spawned outside of administrator activity windows - FortiAuthenticator outbound network connections: monitor for outbound connections from the appliance to non-Fortinet infrastructure — under normal operation, FortiAuthenticator’s outbound traffic should be limited to FortiGuard services, NTP, LDAP/AD, RADIUS clients, and configured SMTP relays - Authentication anomaly monitoring downstream: correlate unusual SSO, RADIUS, or LDAP bind events (new MFA enrollments, password resets, account creations, geographically anomalous logins) with the disclosure timeline of CVE-2026-44277 - Network-level IDS/IPS: enable Fortinet’s own IPS signatures for FG-IR-26-128 if running adjacent Fortinet network devices - Inferred from bug mechanics: HTTP request monitoring at the network edge for unauthenticated POST/PUT requests to FortiAuthenticator API paths outside normal administrative source ranges |
| High-Value Detection Clues | - FortiAuthenticator running version 8.0.2, 8.0.0, 6.6.0–6.6.8, or 6.5.0–6.5.6 after the May 12, 2026 advisory - API access from public internet IP space to FortiAuthenticator that should only be reachable internally - New administrative accounts created on FortiAuthenticator outside change-control windows - Unexpected configuration changes to RADIUS clients, LDAP integrations, SAML SP configurations, or MFA enrollment policies - New or modified SSH keys / API tokens on the appliance - Outbound TLS connections from FortiAuthenticator’s management IP to non-Fortinet destinations - Inferred from bug mechanics: bursts of HTTP requests to API URI paths with anomalous Content-Type, payload size, or response codes in the appliance access log just prior to other compromise indicators |
| Example Hunt Ideas | - In central log aggregation: hunt for HTTP requests to FortiAuthenticator API endpoints (typically /api/) sourced from non-administrative IP ranges- In firewall logs: identify any inbound traffic from the public internet to FortiAuthenticator’s HTTPS port — for any deployment where the appliance is supposed to be internal-only, this is an immediate finding - In FortiAuthenticator audit logs: hunt for administrative actions (config write, certificate import, user creation) without a corresponding interactive login event from the same session ID - Across the IAM ecosystem: hunt for unexpected SAML assertions issued by FortiAuthenticator to applications that have not seen them before, or assertions outside normal user populations - Inferred: in EDR telemetry for systems integrated with FortiAuthenticator (RADIUS clients, LDAP clients): hunt for authentication anomalies starting after May 12, 2026 that suggest the IAM broker may be manipulating responses |
| Mitigation | Upgrade FortiAuthenticator to a fixed version immediately, per FG-IR-26-128: - 8.0 branch: upgrade to 8.0.3 or above - 6.6 branch: upgrade to 6.6.9 or above - 6.5 branch: upgrade to 6.5.7 or above Fortinet’s official workaround when patching cannot be performed immediately: “Disable API access for exposed interfaces via Network → Interfaces → Access Rights.” Restricting which network interfaces expose the management/API surface materially reduces blast radius until patch deployment. Additional defensive actions: restrict source IP access to FortiAuthenticator’s management/API interface via network segmentation, ACLs, or VPN-only access; audit administrative accounts and API tokens on the appliance; review recent authentication policy changes; and if compromise is suspected, rotate any credentials, tokens, or certificates that the appliance manages or has access to. |
| Solution Status | Patched. Fortinet published PSIRT advisory FG-IR-26-128 with patched versions FortiAuthenticator 8.0.3, 6.6.9, and 6.5.7 on 2026-05-12. At time of advisory publication, Fortinet states “Known Exploited: No” — no in-the-wild exploitation had been confirmed by Fortinet as of disclosure. The vulnerability was internally discovered during a Fortinet audit rather than reported by an external researcher. CVE-2026-44277 is not currently listed in the CISA KEV catalog at time of writing (May 25, 2026). |
| MITRE ATT&CK Mapping | ATT&CK mapping not publicly established by Fortinet or CISA at time of writing. Inferred from bug mechanics: T1190 Exploitation of Public-Facing Application (direct fit for unauthenticated network-reachable code execution on an internet-exposed appliance). For post-exploitation following IAM compromise: T1556 Modify Authentication Process (the appliance IS the authentication process — once compromised, the attacker can alter how authentication is performed), T1212 Exploitation for Credential Access (credentials and tokens passing through the IAM broker), T1078 Valid Accounts (use of accounts harvested from the appliance), T1606.002 Forge Web Credentials: SAML Tokens (if attacker leverages a compromised SAML SP/IdP role), and T1098.005 Account Manipulation: Device Registration (MFA enrollment manipulation). |
| Limitations / Constraints | - No in-the-wild exploitation confirmed at advisory publication (May 12, 2026); status may have changed since. Treat as imminent risk regardless given Fortinet’s history. - Not in CISA KEV at time of writing. - FortiAuthenticator Cloud is not affected — only on-premise appliances need action. - Specific vulnerable endpoint and exploitation primitive are not publicly disclosed by Fortinet, limiting precision of pre-patch network signatures. - A GitHub repo claiming to be a PoC has been referenced in third-party coverage but is not vendor-validated — exercise caution before relying on or executing such code. - The 9.1 CVSS score reflects temporal adjustment (E:F/RL:O/RC:C); the base CVSS is 9.8 Critical — defenders should not be reassured by the lower number. |
| References | - https://fortiguard.fortinet.com/psirt/FG-IR-26-128 - https://nvd.nist.gov/vuln/detail/CVE-2026-44277 - https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/ - https://www.csoonline.com/article/4170993/fortinet-fixes-two-critical-rce-flaws-in-fortiauthenticator-and-fortisandbox.html - https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html - https://insights.integrity360.com/threat-advisories/critical-rce-vulnerabilities-in-fortinet-fortisandbox-fortiauthenticator - https://www.technadu.com/fortinet-patches-critical-rce-vulnerabilities-in-fortisandbox-and-fortiauthenticator/627847/ - https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-054/ - https://threataft.com/articles/fortinet-critical-rce-fortisandbox-fortiauthenticator - https://www.aiutocomputerhelp.it/en/cve-2026-44277-fortiauthenticator-2/ |