Fortinet FortiAuthenticator unauthenticated RCE (CWE-284, CVSS 9.8) — pre-auth, fixed in 6.5.7 / 6.6.9 / 8.0.3

Fortinet's 2026-05-13 PSIRT batch addresses two unauthenticated remote-code-execution flaws on management-plane Fortinet appliances common in Swiss federal and cantonal estates. CVE-2026-44277 (FortiAuthenticator, the SAML / RADIUS / 802.1X identity broker) and CVE-2026-26083 (FortiSandbox, the malware-analysis appliance) are both pre-auth network-reachable and CVSS ≥ 9. Daily 2026-05-13 confirmed patched builds; no ITW exploitation reported at week-end. Operational implication: FortiAuthenticator sits at the centre of identity-broker trust chains in many public-sector network architectures, so a compromised FortiAuthenticator yields cross-domain credential-issuance capability that is materially worse than a typical RCE — patch state should be verified explicitly on every FortiAuthenticator deployment (Fortinet PSIRT FG-IR-26-128 / FG-IR-26-136; daily 2026-05-13).

Fortinet published two PSIRT advisories on 2026-05-12, picked up by NCSC-CH within hours. CVE-2026-44277 (CWE-284 Improper Access Control) is an unauthenticated network attacker reaching the FortiAuthenticator management-interface API and executing arbitrary commands via crafted requests; vendor PSIRT lists CVSS 9.1 (NCSC-CH and some early reports surfaced 9.8 — § 7 documents the convergence). Affected: 6.5.0–6.5.6, 6.6.0–6.6.8 and 8.0.0–8.0.2. Fixed in 6.5.7 / 6.6.9 / 8.0.3. FortiAuthenticator Cloud (IDaaS) is not affected (Fortinet PSIRT FG-IR-26-128, 2026-05-12; NCSC-CH Security Hub #12569, 2026-05-13). CVE-2026-26083 (CWE-862 Missing Authorization) is an unauthenticated attacker reaching the FortiSandbox Web UI and executing code at CVSS 9.1 per the Fortinet PSIRT advisory (Fortinet PSIRT FG-IR-26-136, 2026-05-12; BleepingComputer, 2026-05-13). Affected FortiSandbox: 4.4.0–4.4.8 (fixed 4.4.9), 5.0.0–5.0.1 (fixed 5.0.2), plus multiple PaaS / Cloud variants; on-prem Cloud 23 and 24 require migration rather than an in-place patch. Both discoveries are attributed to internal Fortinet audit; exploitation status is unknown at disclosure. The defender-relevant attack surface is the network-reachable management plane on each appliance class. Detection concepts mapped to T1190 Exploit Public-Facing Application: alert on FortiAuthenticator / FortiSandbox management-port reach from outside the SOC management VLAN; treat any anomalous outbound HTTP from these appliances (Sysmon-equivalent on FortiOS via diagnose debug application httpsd for FortiAuthenticator) as potential post-exploit egress. Hardening: enforce the perimeter / internal firewall rule that FortiAuthenticator GUI / API and FortiSandbox Web UI are reachable only from named admin / SOC source IPs — Fortinet's PSIRT pages explicitly call this out as the residual hardening even after patching.