Fortinet patches critical FortiSandbox flaw and four more enterprise vulnerabilities

Fortinet has patched five security vulnerabilities affecting FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS, FortiAP, FortiAP-W2, FortiAP-U, FortiOS, FortiAnalyzer, and FortiManager.

The most serious issue is CVE-2026-26083, a Critical missing authorization vulnerability in FortiSandbox products. Fortinet says an unauthenticated attacker could exploit the flaw through HTTP requests to execute unauthorized code or commands.

Fortinet says none of the five vulnerabilities were known to be exploited when the advisories were published on May 12, 2026. Even so, admins should prioritize FortiSandbox updates because the main flaw requires no authentication.

Fortinet May 2026 security fixes at a glance

CVE	Product	Severity	Attack type	Impact
CVE-2026-26083	FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS	Critical	Unauthenticated	Execute unauthorized code or commands
CVE-2025-53844	FortiOS	High	Authenticated	Gain execution privileges on a FortiGate device
CVE-2025-53680	FortiAP, FortiAP-U, FortiAP-W2	Medium	Authenticated	Execute unauthorized code or commands
CVE-2025-53870	FortiAP, FortiAP-W2	Medium	Authenticated	Escalation of privilege
CVE-2025-67604	FortiAnalyzer, FortiManager	Medium	Authenticated	Denial of service

Critical FortiSandbox flaw needs priority patching

CVE-2026-26083 affects the FortiSandbox web interface. Fortinet describes it as a missing authorization issue in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.

The vulnerability has a CVSS score of 9.1 and affects several FortiSandbox versions. FortiSandbox 5.0.0 through 5.0.1 should be upgraded to 5.0.2 or later, while FortiSandbox 4.4.0 through 4.4.8 should be upgraded to 4.4.9 or later.

FortiSandbox Cloud 5.0.2 through 5.0.5 should be upgraded to 5.0.6 or later. Several FortiSandbox Cloud and FortiSandbox PaaS releases require migration to a fixed release instead of a simple point update.

FortiOS CAPWAP bug is rated High

Fortinet also fixed CVE-2025-53844, a High severity out-of-bounds write vulnerability in the FortiOS CAPWAP daemon.

CAPWAP handles communication between wireless access points and controllers. Fortinet says an attacker controlling an authenticated FortiAP, FortiExtender, or FortiSwitch could exploit the flaw to gain execution privileges on a FortiGate device.

Affected versions include FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, and FortiOS 7.2.0 through 7.2.11. Fixed versions include FortiOS 7.6.4, FortiOS 7.4.9, and FortiOS 7.2.12 or later.

FortiAP command injection flaws also patched

Two Medium severity vulnerabilities affect Fortinet wireless access point products. Both require authentication, which limits exposure compared with the FortiSandbox flaw.

CVE-2025-53680 is an OS command injection bug in the FortiAP, FortiAP-U, and FortiAP-W2 CLI. Fortinet says an authenticated privileged attacker could execute unauthorized code or commands through crafted CLI requests.

CVE-2025-53870 is a separate OS command injection issue in FortiAP and FortiAP-W2. Fortinet lists its impact as escalation of privilege, and exploitation requires authenticated CLI access.

FortiAnalyzer and FortiManager API bug can cause outages

The fifth vulnerability, CVE-2025-67604, affects the API layer in FortiAnalyzer and FortiManager. Fortinet rates it Medium severity.

The flaw involves the use of a potentially dangerous function. Fortinet says an authenticated attacker could send multiple specially crafted HTTP requests and cause a system hang through crashes.

This issue does not carry the same immediate risk as the Critical FortiSandbox flaw. However, FortiAnalyzer and FortiManager often sit at the center of enterprise logging, analysis, and management workflows, so outages can disrupt security operations.

What admins should do now

• Patch FortiSandbox systems first, especially if the web interface is reachable from less trusted networks.
• Upgrade FortiOS systems affected by CVE-2025-53844 because the CAPWAP flaw carries a High severity rating.
• Restrict FortiAP, FortiAP-U, and FortiAP-W2 CLI access to trusted administrators only.
• Limit FortiAnalyzer and FortiManager API access to trusted internal systems.
• Review Fortinet’s recommended upgrade paths before moving production appliances to fixed releases.
• Monitor logs for unusual HTTP, API, CLI, or CAPWAP activity after patching.

Why this Fortinet update matters

Fortinet appliances often protect high-value network edges, wireless environments, and security operations workflows. That makes even internal-only flaws important for enterprise defenders.

The Critical FortiSandbox issue creates the clearest urgency because it does not require authentication. The FortiOS CAPWAP bug also deserves attention because successful exploitation could affect a FortiGate device through a trusted connected endpoint.

Admins should not delay these patches because Fortinet vulnerabilities have historically attracted attacker interest after disclosure. Systems exposed to the internet, management networks, or broad internal access should receive the fastest review.

FAQ