Fortinet released a batch of patches across its products on Patch Tuesday, including two critical vulnerabilities that can lead to remote code execution. Fortinet flaws, both zero-day and n-day, have been exploited in the wild many times in the past, so companies should deploy patches as soon as possible.“Fortinet vulnerabilities are often attractive to threat actors because these products sit in high-trust security functions that threat actors often target,” Piyush Sharma, CEO and co-founder of SecOps company Tuskira, told CSO via email. “When a vulnerability affects a tool that already has privileged visibility or sits close to critical systems, exploitation can give attackers a much larger head start than a flaw in an ordinary application.”The flaw in FortiAuthenticator, tracked as CVE-2026-44277, has a 9.1 CVSS severity score and is described as an improper access control issue. Successful exploitation allows unauthenticated attackers to execute unauthorized code and commands by sending specifically crafted requests.An identity and access management (IAM) solution, FortiAuthenticator serves as the central hub for RADIUS, LDAP, and SAML authentication. It integrates with Active Directory and supports single sign-on and multi-factor authentication. To patch this new vulnerability, companies are advised to upgrade to FortiAuthenticator 6.5.7, 6.6.9, or 8.0.3 depending on the release they’re using.The flaw in FortiSandbox is a missing authorization issue that similarly allows unauthenticated attackers to execute arbitrary code and commands via HTTP requests. Tracked as CVE-2026-26083, the vulnerability also has a severity score of 9.1.FortiSandbox is a threat detection solution designed to identify zero-day threats by using machine learning to perform static and dynamic analysis on suspicious files inside an isolated environment. It integrates with other Fortinet security products such as FortiGate and FortiMail and comes in different variants, including hardware and virtual appliances.The vulnerability impacts all supported versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Users are advised to upgrade to version 4.4.9 or 5.0.2, depending on release.Both CVE-2026-26083 and CVE-2026-44277 were discovered internally by Fortinet, so there is no evidence of in-the-wild exploitation yet. However, exploits for other Fortinet RCE vulnerabilities were adopted by attackers in the past.For example, CVE-2026-21643, an SQL injection vulnerability in FortiClient Endpoint Management Server (EMS) that was found internally by Fortinet and was patched in February, ended up exploited in the wild a month later. This was followed up last month by exploitation of another FortiClient EMS flaw, this time a zero-day.In addition to the two critical flaws, Fortinet released patches for high- and medium-severity flaws in several products: an out-of-bounds write vulnerability in FortiOS that can lead to RCE (CVE-2025-53844), an OS command injection vulnerability in FortiAP and FortiAP-W2 (CVE-2025-53870) that leads to privilege escalation, and a separate OS command injection flaw in FortiAP, FortiAP-U, and FortiAP-W2 (CVE-2025-53680) that can lead to RCE.Exploitation of these flaws requires authentication, which is why they’re not rated critical, but attackers compromising enterprise credentials is not uncommon so they should still be treated with urgency.