Full Report
Fortinet security advisory (AV26-695)
Analysis Summary
# Vulnerability: Multiple Flaws in FortiAuthenticator and FortiSandbox
## CVE Details
*Note: Specific CVE IDs and CVSS scores were not explicitly listed in the provided summary text; however, based on the advisory references (FG-IR-26-146 and FG-IR-26-145):*
- **CVE ID:** CVE-2026-TBD (Referenced via FG-IR-26-146 and FG-IR-26-145)
- **CVSS Score:** Pending (High/Critical based on "Unauthenticated VNC access")
- **CWE:** CWE-125 (Out-of-bounds Read) and CWE-306 (Missing Authentication)
## Affected Systems
- **FortiAuthenticator:**
- Versions 6.6.0 through 6.6.2
- Versions 6.5.0 through 6.5.7
- **FortiSandbox:**
- Versions 5.0.0 through 5.0.2
- Versions 4.4.3 through 4.4.8
- **Configurations:** Systems with GUI access enabled or VNC services exposed on network interfaces.
## Vulnerability Description
This advisory covers two distinct security issues:
1. **Out-of-bounds Read in GUI:** A flaw in the administrative web interface that allows the system to read data past the end of the intended buffer. This can lead to information disclosure or system instability.
2. **Unauthenticated VNC Access:** A critical misconfiguration where Virtual Network Computing (VNC) access is exposed across all network interfaces without requiring authentication. This allows a remote actor to potentially view or interact with the system environment directly.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild at the time of advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential exposure of system data and visual environment)
- **Integrity:** High (Ability to interact with system via VNC)
- **Availability:** Medium (Potential for crashes via OOB read)
## Remediation
### Patches
Fortinet recommends upgrading to the following versions:
- **FortiAuthenticator:** Update to version 6.6.3, 6.5.8, or higher.
- **FortiSandbox:** Update to version 5.0.3, 4.4.9, or higher.
### Workarounds
- **VNC Exposure:** Restrict access to the VNC port (usually 5900-5901) using local firewall rules or Security Fabric policies to trusted administrative hosts only.
- **GUI Exposure:** Ensure the administrative GUI is only accessible via a secure, isolated Management VLAN.
## Detection
- **Indicators of Compromise:** Unusual administrative sessions originating from unknown IP addresses; VNC connection logs showing unauthorized access.
- **Detection methods:** Scan internal and external interfaces for open VNC ports (typically TCP 5900+). Audit GUI access logs for out-of-bounds characteristic request patterns.
## References
- FortiGuard Advisory FG-IR-26-146: hxxps[:]//www[.]fortiguard[.]com/psirt/FG-IR-26-146
- FortiGuard Advisory FG-IR-26-145: hxxps[:]//www[.]fortiguard[.]com/psirt/FG-IR-26-145
- Government of Canada Bulletin: hxxps[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/fortinet-security-advisory-av26-695