Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Stop a Breach: 1800 203 6701

Solution

Compliance
Security
Privacy
SISA One Platform
Why SISA
SISA Institute
Resources
Company
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

SISA INSTITUTE

Training & Workshops
Payment Data Security Programs
CPISI
CPISI - Hybrid
CPISI - Advanced
CPISI - D
Quantum Security
AI Security
CP3
Get Certified
Application
Certifications
Advisory Groups
Certification Policies
Certification Support
Workshop Calendar
Training and Certification Store

RESOURCES

Case Studies
White Papers
Media Coverage
Blogs
Executive Perspective
News Room
Weekly Threat Watch
Monthly Threat Brief
Infographics
Webinars
Infosec Reports

COMPANY

About Us
Our Leadership
Careers
Corporate Social Responsibility
Elevating Communities
Stewarding Our Planet
Diversity & Inclusion

Solution

Compliance
Security
Privacy
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR
Compliance
Security
Privacy
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
ProACT Agentic SOC
Quantum Security
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

Page Name

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Blog
June 22, 2026
2
MIN READ
Systemic Exploitation and Vulnerability Surge Across the Fortinet Ecosystem (H1 2026)

Share this post

TABLE OF CONTENT

TABLE OF CONTENT

Executive Summary

The first half of 2026 has seen a relentless series of critical vulnerabilities and confirmed exploitation campaigns targeting the Fortinet product ecosystem. Affecting FortiOS, FortiManager, FortiClient EMS, FortiSandbox, FortiAuthenticator, FortiWeb, FortiAnalyzer, FortiSOAR, FortiProxy, and more, these disclosures represent a pattern of systemic security failure across enterprise edge, identity, and management infrastructure - not a sequence of isolated incidents.

A significant portion of the flaws disclosed between January and June 2026 allow pre-authentication Remote Code Execution, authentication bypasses, and critical path traversals, with CVSS scores frequently ranging from 9.1 to 9.8. Seven vulnerabilities have confirmed in-the-wild exploitation. Three were weaponized as zero-days before patches were publicly available. The "FortiBleed" campaign - operating without a CVE assignment - has reportedly compromised between 30,000 and 75,000 internet-facing FortiGate devices across approximately 194 countries.

SISA urges organizations running any Fortinet product to treat this not as a patching exercise, but as a signal requiring immediate architectural and operational response.

Why Fortinet Infrastructure Became a High-Value Target?

Fortinet appliances sit at some of the most privileged positions in enterprise networks - managing perimeter access, enforcing endpoint compliance, centralizing authentication, and administering security policy across entire estates. This makes them extraordinarily high-value targets: compromising one Fortinet appliance frequently yields administrative control over everything behind it.

Adversaries have exploited this systematically across H1 2026. The FortiCloud SSO trust model was abused via CVE-2026-24858, allowing an attacker holding any standard FortiCloud account to cross organizational boundaries, log into other customers' devices, and create rogue admin accounts across FortiOS, FortiManager, FortiAnalyzer, FortiWeb, and FortiProxy - without needing a single valid credential from the target organization. This was in active exploitation before the patch existed, from approximately January 20, 2026.  

FortiClient EMS - the endpoint management and zero-trust enforcement hub - was hit with two separate critical unauthenticated RCE vulnerabilities in four months. CVE-2026-21643, a pre-authentication SQL injection via the Site HTTP header in multi-tenant deployments, was observed in active exploitation by March 24, weeks after disclosure. CVE-2026-35616 followed, exploited as a zero-day from March 31 - three days before its advisory was published. Attackers who control FortiClient EMS do not just compromise one server - they control which devices are deemed compliant, who gets network access, and what security policy applies to every managed endpoint.

FortiAuthenticator joined the list in May with CVE-2026-44277 (CVSS 9.8) - an improper access control flaw allowing unauthenticated remote code execution against API handlers. Because FortiAuthenticator provides RADIUS, TACACS+, MFA, SSO, certificate management, and SCIM provisioning, its compromise does not represent a single-device failure. It represents the collapse of the authentication trust fabric across every connected system.  

The FortiSandbox exploitation cluster extended the damage window into June. CVE-2026-39808 and CVE-2026-39813 - both CVSS 9.8, patched in April - saw renewed confirmed in-the-wild exploitation starting June 9 and June 15 respectively, targeting organizations that had not yet applied patches. CVE-2026-25089, a second-order OS command injection via JSON input on the start vnc feature, was disclosed June 9 and observed being chained alongside the earlier sandbox CVEs simultaneously. A compromised FortiSandbox is particularly dangerous as a pivot point: it is a host that security tooling is often explicitly configured to trust.

FortiBleed completes the picture. Threat actors are harvesting FortiGate configuration backup files obtained through prior exploitation or misconfigured management interfaces, and offline-cracking administrator password hashes. The hashing scheme in use - legacy SHA-256 without adaptive cost parameters - is reversible on modern GPU hardware within hours to days depending on password complexity. There is no code patch for this. Remediation is entirely operational.

Key Risks

The consequences of H1 2026 Fortinet exploitation extend well beyond the compromised appliance itself:

  • Control plane takeover: Exploitation of FortiManager, FortiClient EMS, or FortiAuthenticator grants administrative authority over the entire security estate they manage - not just the appliance.  
  • Persistent rogue administrator access: CVE-2026-24858 exploitation enables unauthorized admin account creation that survives standard user-level credential resets, leaving persistent footholds that are difficult to detect without specific hunting activity.
  • MFA and zero-trust enforcement collapse: FortiAuthenticator and FortiClient EMS compromise simultaneously undermines two of the most critical defensive layers organizations rely on for access control - authentication enforcement and device posture verification.
  • Blind-spot lateral movement: A compromised FortiSandbox provides internal network access from a host that security controls are typically configured to exempt, creating a structurally invisible pivot path into production environments.  
  • Mass credential compromise: FortiBleed-harvested hashes enable credential stuffing against management interfaces across the Fortinet fleet, and potentially against external services where passwords have been reused.  
  • Regulatory exposure: Perimeter and identity infrastructure compromise triggers breach notification obligations under DPDP, GDPR, NIS2, and sector-specific frameworks, alongside direct financial and operational impact.

Indicators

Teams should investigate immediately if any of the following are observed:

  • Administrative logins originating from unexpected FortiCloud organizations or unfamiliar geographic locations, particularly from January 2026 onward - a potential indicator of persistent rogue accounts created via CVE-2026-24858.  
  • Unauthorized administrator accounts in FortiManager, FortiAnalyzer, FortiOS, or FortiWeb not provisioned through standard change management processes.
  • Anomalous outbound connections from FortiClient EMS servers to unknown external IP ranges - potential post-exploitation staging activity linked to CVE-2026-21643 or CVE-2026-35616.  
  • Unexpected process activity on FortiSandbox hosts - particularly processes invoking vnc-related commands, JSON parsing anomalies in sandbox logs, or outbound connections from sandbox VMs to non-analysis infrastructure.  
  • FortiAuthenticator anomalies - unexpected service interruptions, unauthorized certificate issuances, or SCIM provisioning events outside standard workflows.
  • FortiGate configuration backup files stored without encryption in accessible locations such as shared drives, backup repositories, or ticketing systems - a direct exposure path for FortiBleed credential extraction.  
  • CAPWAP or JRPC daemon traffic originating from unexpected subnets, potentially indicating exploitation attempts against wireless management infrastructure via CVE-2026-39811 or CVE-2026-39809.

Recommendations

SISA recommends treating this as both an immediate remediation emergency and a structural security posture review across all Fortinet deployments:

  • Remove management interfaces from internet exposure: Administrative portals for FortiOS, FortiManager, FortiAnalyzer, FortiClient EMS, and FortiAuthenticator must not be publicly reachable. Every critical pre-authentication vulnerability disclosed in H1 2026 requires network reachability to a management interface or API endpoint. Restricting access to dedicated management networks or controlled jump-host infrastructure eliminates the primary attack vector for the majority of listed CVEs.
  • Rotate all credentials across the Fortinet estate: Treat all administrative credentials as potentially compromised given the confirmed scope of FortiBleed and CVE-2026-24858 exploitation. Rotate admin account passwords, API keys, FortiCloud-linked credentials, RADIUS shared secrets, TACACS+ keys, and SSL-VPN user credentials. Prioritize accounts with FortiCloud SSO associations, which may carry persistent rogue administrator sessions.
  • Audit and upgrade password hashing configurations: Inspect all active and archived FortiGate configuration files for legacy SHA-256 hash storage. Upgrade to adaptive hashing standards available in current FortiOS firmware releases. Enforce encrypted storage of all configuration backups, and move backup repositories to access-controlled, monitored locations.  
  • Compress the patch window to 24-48 hours for edge and identity products: Standard maintenance-window patching is insufficient for FortiClient EMS, FortiManager, FortiAuthenticator, and FortiSandbox. CVE-2026-35616 was exploited three days before its advisory was published. Pre-tested deployment runbooks for these products must be maintained in advance of disclosures, not developed in response to them.
  • Micro-segment FortiSandbox deployments: Isolate FortiSandbox and FortiSandbox Cloud instances into dedicated security zones with deny-by-default outbound policies. Restrict outbound sandbox communication to explicitly defined analysis infrastructure only, preventing lateral movement from compromised sandbox hosts into production environments.  
  • Restrict CAPWAP and JRPC protocol exposure at the subnet level: Block CAPWAP and JRPC daemon traffic from reaching FortiOS or FortiSwitchManager management services from untrusted subnets. Wireless management communications should be limited strictly to defined, trusted internal segments with no general corporate network reachability.
  • Apply WAF inspection on administrative endpoints: Where management endpoints cannot be fully isolated, implement custom WAF signatures to inspect and block crafted HTTP headers - specifically the Site header - to intercept the pre-authentication SQL injection vector associated with CVE-2026-21643.  
  • Establish behavioral detection across all Fortinet assets: Configure SIEM alerting for anomalous Fortinet behaviors including unexpected directory deletion via vmimages delete, unauthorized configuration writes from local subnets, new admin account provisioning outside change management windows, and outbound connections from FortiSandbox VMs to non-analysis destinations.

SISA View and Way Forward

H1 2026 reveals an adversarial priority that is now unambiguous: security infrastructure is the target, not what it protects. Threat actors pursuing FortiAuthenticator, FortiCloud SSO, and FortiClient EMS are not looking for a foothold on one device - they are looking to own the trust model that governs the entire environment. Compromising the authentication plane and endpoint compliance layer simultaneously removes most of the controls organizations rely on to detect and contain intrusions once the perimeter is crossed.

The exploitation timelines reinforce a structural problem: the gap between vulnerability disclosure and organizational patch deployment - measured in weeks across much of the H1 2026 activity - is wider than the window adversaries need to operate. CVE-2026-35616 was weaponized before its advisory existed. CVE-2026-39808 and CVE-2026-39813 saw renewed exploitation two months after patching, against organizations that had not yet acted on the April advisories.

As organizations move into H2 2026, security teams should anticipate continued critical disclosure activity across the same product families, and increasing adversarial focus on FortiSASE and cloud-managed Fortinet variants as those deployments grow. The FortiBleed credential-harvesting infrastructure is likely still active against organizations that have not completed credential rotation and hashing upgrades.

Published as part of SISA's ongoing threat intelligence and advisory programme, this blog is intended to help security teams understand the full scope of H1 2026 Fortinet exposure, prioritize response actions, and build the defensive posture required to reduce risk through the remainder of 2026.

References

Vendor Advisories (Fortinet PSIRT): FG-IR-26-060 | FG-IR-26-099 | FG-IR-26-100 | FG-IR-26-112 | FG-IR-26-128 | FG-IR-26-141

Regulatory & Vulnerability Bulletins: CISA Advisory - Jan 28, 2026 | CSA Singapore AL-2026-024 | CSA Singapore AL-2026-054 | CCB Belgium Warning

Threat Intelligence & Campaign Analysis: WatchTowr Labs - EMS Zero-Day | Arctic Wolf - FortiBleed | Hudson Rock - Credential Metrics | CyberScoop - FortiSandbox Chains | HelpNetSecurity - EMS Exploitation

SHARE THIS POST

Digital Forensics & Incident Response
Digital Forensics
Risk Management
Cyber Risk