Fortinet has disclosed a critical authentication bypass and remote-code-execution flaw in FortiAuthenticator, tracked as CVE-2026-44277 and rated CVSS 9.1. An unauthenticated attacker can send specially crafted requests to reach unauthorised code or command execution. The advisory landed on 12 May; a proof-of-concept script has since appeared on GitHub, as reported by The Hacker News.

If you’re an Australian SMB, FortiAuthenticator is probably doing more than you realise. It’s the box behind a lot of single sign-on, multi-factor authentication and VPN access setups. Bypass it and you don’t just compromise one user — you compromise the front door to identity. For firms holding client data covered by the Notifiable Data Breaches scheme, that’s a notification-grade event waiting to happen.

What to do: patch to FortiAuthenticator 6.5.7, 6.6.9 or 8.0.3 today. If you genuinely can’t patch this week, lock down admin and API access by source IP and pull your logs for unusual API requests. FortiAuthenticator Cloud (FortiTrust Identity) is not affected. Don’t wait for active exploitation — once a public PoC is circulating, mass scanning and weaponisation follow within days, not months.

Not sure whether you’re running FortiAuthenticator, or whether your version is patched? That’s the kind of inventory question we handle daily for our managed clients — get in touch via our Cybersecurity page if you’d like a second set of eyes.