- May 12, 2026
Critical Auth Bypass Vulnerability in FortiAuthenticator (CVE-2026-44277)
On May 12th, Fortinet publicly released a critical vulnerability affecting Fortinet FortiAuthenticator which handles Identity and Access Management (IAM) within some Fortinet architectures. The flaw is tracked as CVE-2026-44277 and classified as an improper access control vulnerability allowing unauthenticated attackers the ability to execute unauthorized code remotely.
Executive Summary
On May 12th, Fortinet publicly released a critical vulnerability affecting Fortinet FortiAuthenticator which handles Identity and Access Management (IAM) within some Fortinet architectures. The flaw is tracked as CVE-2026-44277 and classified as an improper access control vulnerability allowing unauthenticated attackers the ability to execute unauthorized code remotely.
Fortinet has released patched versions of software to address the issue, and at the time of writing no publicly confirmed proof-of-concept (PoC) exploits have been released. Given prior targeting of Fortinet products and affected identity components, Beazley Security recommends organizations apply patches as soon as possible.
Affected Systems or Products
Product | Affected Version | Fixed Version |
FortiAuthenticator 6.5 | 6.5.0 through 6.5.6 | 6.5.7 |
FortiAuthenticator 6.6 | 6.6.0 through 6.6.8 | 6.6.9 |
FortiAuthenticator 8.0 | 8.0.0 and 8.0.2 | 8.0.3 |
*According to the FortiGuard advisory, FortiAuthenticator Cloud is not affected by this vulnerability.
Mitigations / Workarounds
Patches have been released by the vendor and applying them is the recommended course of action. In the event patches cannot be immediately applied, the following mitigations may help to reduce risk:
Review and restrict network-level access to FortiAuthenticator interfaces and API endpoints to trusted networks only.
Evaluate migration to FortiAuthenticator Cloud if on-premises patching cannot be performed.
Patches
Fortinet has released a firmware upgrade for FortiAuthenticator to fix these issues. Registered users can grab the latest updates from the official FortiCloud website.
Technical Details
Fortinet provided limited technical details regarding the vulnerability in its initial advisory publication. The official PSIRT statement mentions that the flaw was internally discovered as part of a Fortinet audit and is classified as an Improper access control vulnerability on API endpoints. There are no reports of active exploitation or proof-of-concept (PoC) code at the time of writing.
FortiAuthenticator is a Fortinet Identity and Access Management (IAM) solutions designed to centralize authentication services and enforce identity-based security controls such as MFA across enterprise environments. The platform is commonly integrated with VPN infrastructure, administrative access, and other identity services.
Because FortiAuthenticator often serves as a core authentication component within organizations leveraging Fortinet, successful compromise could create substantial downstream risk to connected systems and user accounts. Given the history of threat actors targeting Fortinet systems, Beazley Security recommends affected organizations patch FortiAuthenticator deployments as soon as possible.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.