Fortinet Warns of Critical RCE Flaws in FortiSandbox and FortiAuthenticator

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-inteldata-breachmalwarevulnerabilitycloudtools
Fortinet Warns of Critical RCE Flaws in FortiSandbox and FortiAuthenticator

Fortinet has issued urgent security patches for critical remote code execution (RCE) vulnerabilities impacting its FortiSandbox and FortiAuthenticator products. BleepingComputer reports that these flaws could allow unauthenticated attackers to execute arbitrary commands or code on affected systems.

The vulnerabilities are severe. For FortiAuthenticator, a heap-based buffer overflow (CVE-2024-21772) in the sslvpn daemon allows pre-authentication RCE. FortiSandbox’s issue (CVE-2024-21773) is an OS command injection in the cli component, also enabling RCE. These aren’t theoretical; they represent direct avenues for compromise.

CISOs need to understand the attacker’s calculus here: unauthenticated RCE is the holy grail. It means a direct path from network access to system control without needing credentials. These are the vulnerabilities that get weaponized fast, often before many organizations even finish patching.

What This Means For You

  • If your organization uses FortiSandbox or FortiAuthenticator, you need to prioritize patching immediately. Unauthenticated RCE is a critical vector for initial access. Verify that your patching cycles are robust enough to handle zero-day-level threats like these, and audit logs for any suspicious activity around these devices prior to applying patches.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1207 Vulnerabilities in Third-Party Software Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Fortinet FortiAuthenticator SSLVPN Pre-Auth RCE (CVE-2024-21772)

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
Fortinet-RCE-2024-04 RCE FortiSandbox
Fortinet-RCE-2024-04 RCE FortiAuthenticator
Fortinet-RCE-2024-04 Command Injection FortiSandbox
Fortinet-RCE-2024-04 Command Injection FortiAuthenticator

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor fortinet.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Fortinet All breaches, IOCs & vendor exposure

Related coverage on Fortinet

West Pharmaceutical Hit by Ransomware, Data Stolen

West Pharmaceutical Services has confirmed a ransomware attack that led to data theft and system encryption. The incident, which occurred on May 4, prompted the...

threat-inteldata-breachgovernmentmalwareransomwaremicrosoft
/SCW Research /HIGH /⚙ 3 Sigma

Microsoft Releases Windows 10 KB5087544 Extended Security Update

Microsoft has rolled out the Windows 10 KB5087544 extended security update. BleepingComputer reports this update addresses vulnerabilities from May 2026 Patch Tuesday. It also includes...

threat-inteldata-breachmalwarevulnerabilitymicrosofttools
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs

Free Online File Converters: A Malware and Data Theft Vector

LΣҒΔ𝕽ΩLL 🇮🇱 recently highlighted the risks associated with free online file conversion services, drawing a direct line to a 2025 FBI warning about these platforms....

malwareransomwaretools
/SCW Threat Desk /MEDIUM