Fortinet published 11 advisories covering 18 vulnerabilities, including two critical remote code execution flaws: CVE-2026-44277 (improper access control in FortiAuthenticator, exploitable remotely without authentication) and CVE-2026-26083 (missing authorization in FortiSandbox WEB UI). Additionally, a high-severity out-of-bounds write vulnerability (CVE-2025-53844) in FortiOS capwap daemon could allow code execution if an attacker controls an authenticated FortiAP, FortiExtender, or FortiSwitch. Ivanti released four advisories detailing seven vulnerabilities, with the most severe being CVE-2026-8043 (external control of file name in Xtraction, enabling remote reading of sensitive files and arbitrary HTML file writes). Other Ivanti flaws include SQL injection, OS command injection, privilege escalation, and race conditions. Both vendors have released patches and are not aware of active exploitation.

Successful exploitation of these vulnerabilities could allow remote attackers to execute arbitrary code, escalate privileges, and disclose sensitive information. Some vulnerabilities can be exploited without authentication, increasing risk. The impact spans multiple products from Fortinet and Ivanti, potentially affecting network security, endpoint management, and web interfaces. No confirmed exploitation in the wild has been reported at this time.

Official patches have been released by Fortinet and Ivanti addressing all identified vulnerabilities. Customers should apply these updates promptly to mitigate the risks. Fortinet customers using FortiAuthenticator Cloud do not need to take action for CVE-2026-44277. No additional mitigation steps are indicated by the vendors beyond applying the provided patches.