—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Improper Access Control Vulnerability in FortiAuthenticator

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Forti Authenticator 8.0.0 through 8.0.2

Forti Authenticator 6.6.0 through 6.6.8

Forti Authenticator 6.5.0 through 6.5.6

Overview

A vulnerability has been reported in FortiAuthenticator which could allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted requests on the affected system.

Target Audience:

All organizations and administrators using affected versions of FortiAuthenticator.

Risk Assessment:

High risk of unauthorized code or command execution and potential system compromise.

Impact Assessment:

Potential for unauthorized commands execution, system compromise.

Description

FortiAuthenticator is used for centralized authentication, identity management, and secure access services within enterprise environments.

An Improper Access Control vulnerability exists in FortiAuthenticator API endpoints. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted requests.

Successful exploitation of this vulnerability could allow a remote attacker to execute unauthorized code or commands on the targeted system.

Solution

Apply appropriate fix/patches as mentioned in the vendor advisory:

https://fortiguard.fortinet.com/psirt/FG-IR-26-128

Vendor Information

Fortinet

https://fortiguard.fortinet.com/psirt/FG-IR-26-128

References

Fortinet

https://fortiguard.fortinet.com/psirt/FG-IR-26-128

CVE Name

CVE-2026-44277

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoNzT8ACgkQ3jCgcSdc

ys/waA/+OkrzgtR3RhwzOY0IbQix7DLTx+NHT6sLq9rJkLldnlfcUnMh9D+E/SXZ

DdENaMLC1Z8RQf3kC9arxFLqDv6ls+HlWBivN3Fw2wdrO7vN+dhNvAVZDT9t1AAg

Samlz3rGdl5vcgoHi0raFp54Tmqzpfoi1WtHQYlPYDkozXJo3bRbEuEv7qe5xgM6

wa6SM9QR6HjjO8ilIJcRTVXHS9gb35I61hczLvHKziWTDmLTrlM6BERAapzXdR+5

FZ9kN9ZytQVnbLwN3VeDk2UPHTST14FG97LOCeEbiqKriwGAdSgONqEG0Q2/B9nx

m4hfI3Hndz7hkVPGMpW7pPt1d2Gf9JMECwjddjfw6W4zlnSNbsTL/hB4DkEYwPB9

w7hzbKDlE6Soto4hnDHoVeuXGdeibRTuVy91JgwX/xmXriiJhb5q2JKJB4F//JoI

gxh0cLiFaTaDXbr5ywo4wX/LOwMhBYorE2qlwNJ4O3bAoeY6/1jpzzCMwP0pGuZS

7WgJHoRKXti/LCfM+bIjVM4t8+C1MjtblQErC5wS8Sinl3xjGgX3QkEjJpraI9Ml

alzJue+KR9RAwpP56DBr7ms7EAxnzl+Zwyyn7+oRuSQCvS9/YyajsKhQeoDHaeIH

v6AbE50Xy/hHKvUX6l3BKT16V/tffZkT4g1aSeZHtRN4ifppd6Q=

=6lrh

—–END PGP SIGNATURE—–