PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44277 Fortinet CVE debrief

A critical improper access control vulnerability in Fortinet FortiAuthenticator allows unauthenticated remote attackers to execute unauthorized code or commands via crafted network requests. The vulnerability affects multiple versions across the 6.5, 6.6, and 8.0 release branches, with patches available in versions 6.5.7, 6.6.9, and 8.0.3 respectively. The CVSS 3.1 score of 9.8 reflects network attack vector, low complexity, no required privileges, and high impact across confidentiality, integrity, and availability. Fortinet published PSIRT advisory FG-IR-26-128 with remediation guidance. No known exploitation in ransomware campaigns has been confirmed, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Fortinet
Product
FortiAuthenticator
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-28
Advisory published
2026-05-12
Advisory updated
2026-05-28

Who should care

Organizations operating FortiAuthenticator for multi-factor authentication and identity management, particularly those with internet-exposed or broadly accessible management interfaces. Security teams responsible for Fortinet infrastructure, identity and access management administrators, and compliance officers tracking critical vulnerability remediation timelines.

Technical summary

CVE-2026-44277 is an improper access control vulnerability (CWE-284) in Fortinet FortiAuthenticator that permits unauthenticated remote attackers to execute arbitrary code or commands. The vulnerability stems from insufficient access control enforcement on specific request handlers, allowing crafted network requests to bypass authentication and authorization checks. Affected versions include FortiAuthenticator 6.5.0 through 6.5.6, 6.6.0 through 6.6.8, and 8.0.0 through 8.0.2. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network exploitable, low complexity attacks requiring no privileges or user interaction, with high impact on confidentiality, integrity, and availability. Fortinet released patches on May 12, 2026, with the NVD record modified on May 28, 2026 to reflect updated vulnerability status.

Defensive priority

critical

Recommended defensive actions

  • Upgrade FortiAuthenticator to patched versions: 6.5.7 or later for 6.5.x branch, 6.6.9 or later for 6.6.x branch, or 8.0.3 or later for 8.0.x branch
  • Apply interim access controls to restrict FortiAuthenticator management interfaces to trusted administrative networks if patching is delayed
  • Monitor FortiAuthenticator logs for anomalous authentication or administrative activity
  • Review Fortinet PSIRT advisory FG-IR-26-128 for vendor-specific configuration guidance
  • Validate FortiAuthenticator deployment against CPE criteria to confirm exposure: versions 6.5.0-6.5.6, 6.6.0-6.6.8, 8.0.0-8.0.2

Evidence notes

Vulnerability classification and affected versions derived from NVD CPE criteria and Fortinet PSIRT advisory. CVSS vector confirms unauthenticated network exploitation with complete system compromise potential. CWE-284 (Improper Access Control) identified as root cause.

Official resources

2026-05-12