Skip to content
Threat Feed
high advisory

Fortinet Patches Multiple Vulnerabilities in FortiAuthenticator, FortiOS, and FortiSandbox

Fortinet released security advisories on May 12, 2026, addressing critical vulnerabilities including improper access control, incorrect global authorization, and out-of-bounds access across FortiAuthenticator, FortiOS, and FortiSandbox product lines, urging users to apply necessary updates.

On May 12, 2026, Fortinet issued multiple security advisories addressing vulnerabilities found within its FortiAuthenticator, FortiOS, and FortiSandbox product lines. These advisories detail critical vulnerabilities such as improper access control on API endpoints, incorrect global authorization, and out-of-bounds memory access, potentially leading to unauthorized access or denial-of-service conditions. The affected products and versions include a range of releases, including FortiAuthenticator (versions 6.5.0 to 8.0.2), FortiOS (versions 7.2.0 to 7.6.3), and FortiSandbox (versions 4.4.0 to Cloud 24). Defenders should promptly review the advisories and apply the provided updates to mitigate potential risks.

Attack Chain

Given the nature of the vulnerabilities (improper access control, incorrect authorization, and out-of-bounds access), the following represents a generalized attack chain:

  1. Reconnaissance: Attacker identifies a vulnerable Fortinet appliance exposed to the network.
  2. Initial Access: Exploiting an improper access control vulnerability (FG-IR-26-128) to gain unauthorized access to API endpoints.
  3. Privilege Escalation: Leveraging an incorrect global authorization vulnerability (FG-IR-26-136) to escalate privileges within the system.
  4. Lateral Movement (Conditional): Depending on the configuration and network segmentation, the attacker may be able to use their elevated privileges to move laterally within the network.
  5. Out-of-bounds Access: Triggering an out-of-bounds memory access in the CAPWAP daemon (FG-IR-26-123), potentially leading to denial of service or information disclosure.
  6. Data Exfiltration or System Compromise: Using the compromised system to exfiltrate sensitive data or further compromise other systems on the network.

Impact

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access to sensitive data, escalate privileges within the network, or cause denial-of-service conditions. The widespread use of Fortinet products across various sectors means a successful attack could impact numerous organizations.

Recommendation

  • Immediately apply the updates provided in the Fortinet security advisories (https://www.fortiguard.com/psirt) to address the vulnerabilities in FortiAuthenticator, FortiOS, and FortiSandbox.
  • Monitor network traffic for unusual activity related to Fortinet appliances, and deploy the Sigma rule below to detect unauthorized access attempts to API endpoints.
  • Review access control policies and authentication mechanisms on Fortinet appliances to ensure proper security configurations.

Detection coverage 2

Detect Unauthorized Access to Fortinet API Endpoints

medium

Detects potential unauthorized access attempts to Fortinet API endpoints, potentially exploiting FG-IR-26-128.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect Out-of-Bounds Access in CAPWAP Daemon

low

Detects potential exploitation of out-of-bounds access in the CAPWAP daemon, potentially related to FG-IR-26-123.

sigma tactics: denial_of_service techniques: T1499.004 sources: network_connection

Detection queries are available on the platform. Get full rules →