Fortinet FortiAuthenticator Critical Improper Access Control Vulnerability
The National Vulnerability Database has disclosed CVE-2026-44277, a critical improper access control vulnerability impacting Fortinet FortiAuthenticator versions 8.0.2, 8.0.0, and 6.5.0 through 6.6.8. This flaw carries a CVSS score of 9.8, indicating maximum severity.
This vulnerability allows an unauthenticated attacker to execute unauthorized code or commands. The improper access control nature (CWE-284) means the system fails to adequately restrict who can perform specific actions, opening the door for arbitrary command execution. Such a flaw in an authentication appliance is particularly dangerous, as these devices are often internet-facing and central to an organization’s identity and access management.
Attackers can leverage this to gain a foothold, bypass authentication, or even achieve full system compromise. Given the critical CVSS score and the direct impact on command execution, this is a prime target for initial access brokers and sophisticated threat actors looking to establish persistence within an enterprise network. Patching is not optional; it’s an immediate imperative.
What This Means For You
- If your organization uses Fortinet FortiAuthenticator, you need to immediately identify all instances running affected versions. Prioritize patching to a remediated version. Do not delay. This isn't theoretical – an attacker could be executing commands on your authentication infrastructure right now.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Fortinet FortiAuthenticator CVE-2026-44277 Unauthorized Code Execution - Free Tier
title: Fortinet FortiAuthenticator CVE-2026-44277 Unauthorized Code Execution - Free Tier
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
This rule detects the specific exploit path and payload for CVE-2026-44277, targeting the '/remote/fgt_lang' endpoint with a POST request and a crafted URI query that attempts to access sensitive system files like '/etc/passwd'. This indicates an attempt at unauthorized code execution via improper access control.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44277/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/remote/fgt_lang'
cs-method|exact:
- 'POST'
cs-uri-query|contains:
- 'lang=/..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44277 | Improper Access Control | Fortinet FortiAuthenticator versions 8.0.2, 8.0.0 |
| CVE-2026-44277 | Improper Access Control | Fortinet FortiAuthenticator versions 6.6.0 through 6.6.8 |
| CVE-2026-44277 | Improper Access Control | Fortinet FortiAuthenticator versions 6.5.0 through 6.5.6 |
| CVE-2026-44277 | RCE | Unauthorized code or command execution |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 21:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
MongoDB Ops Manager RCE via Webhook Template Injection (CVE-2026-8431)
CVE-2026-8431 — An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. ...
CVE-2026-8430: SPIP RCE Limited to Nginx Configurations
CVE-2026-8430 — SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing...
SPIP RCE Vulnerability (CVE-2026-8429) Bypasses Security Protections
CVE-2026-8429 — SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in...