Which Firewall Vendor Has Had the Most Unauthenticated Vulnerabilities in 2026?

If you manage a firewall in 2026, the question isn’t whether your vendor has shipped a critical vulnerability this year — it’s how many, and whether attackers got there before your patch window did. Six months into the year, the answer to “who’s been hit hardest” has a clear winner on paper and a more complicated one in practice.

This roundup of firewall vulnerabilities 2026 tallies the unauthenticated flaws — the ones an attacker can exploit with no credentials at all — across the four vendors that dominate the enterprise perimeter: Fortinet, Palo Alto Networks, Cisco, and SonicWall. Unauthenticated vulnerabilities matter more than any other class because they turn your security appliance into the attack surface itself. No phishing required, no stolen password — just a crafted packet against a device that is, by design, exposed to the internet.

How We Counted

We counted vulnerabilities disclosed or actively exploited between January and June 2026 that meet two criteria: exploitable by an unauthenticated attacker, and affecting the vendor’s network security portfolio (the firewall OS itself plus the management and access products that typically sit beside it). Severity scores are CVSS v3 as published by the vendor. “Exploited” means confirmed in-the-wild exploitation reported by the vendor, CISA, or credible incident-response teams — not proof-of-concept code on GitHub.


The Verdict Up Front

By raw count, Fortinet has had the most unauthenticated vulnerabilities in 2026 — at least eight distinct unauthenticated flaws across FortiOS, FortiSandbox, FortiSIEM, FortiAuthenticator, and FortiClient EMS, several of them under active exploitation. In a single two-day stretch in April, Fortinet disclosed 27 new vulnerabilities across its product line.

But there’s a second answer that matters just as much: Palo Alto Networks had the most severe actively-exploited flaws in the firewall operating system itself. Two PAN-OS vulnerabilities landed on CISA’s Known Exploited Vulnerabilities list this spring, one of them an unauthenticated remote code execution bug running as root. If you weight by “attackers are inside firewalls right now because of this,” Palo Alto’s year has arguably been worse where it counts most.

Both things are true, and the distinction is worth understanding before anyone waves a CVE count around in a vendor-selection meeting. Let’s go vendor by vendor.


Fortinet: Death by a Thousand Advisories

Fortinet’s 2026 started badly and hasn’t let up. On January 13 alone, the company disclosed a critical OS command injection flaw in FortiSIEM (CVE-2025-64155, CVSS 9.4) that allows unauthenticated remote code execution via crafted TCP requests — quickly confirmed as exploited — alongside a heap-based buffer overflow in the FortiOS CAPWAP wireless controller daemon (CVE-2025-25249) that lets an unauthenticated attacker execute code on FortiOS and FortiSwitchManager.

April was worse. Fortinet’s mid-April advisory batch covered 27 vulnerabilities across the portfolio, headlined by two CVSS 9.8 unauthenticated RCE flaws in FortiSandbox (CVE-2026-39808 and CVE-2026-39813) — both now under active exploitation — and a critical improper access control flaw in FortiAuthenticator (CVE-2026-44277, CVSS 9.1) that allows unauthenticated code execution via crafted requests. A third FortiSandbox command injection (CVE-2026-25089) followed in June.

Round it out with an unauthenticated RCE in FortiClient EMS (CVE-2026-21643), an HTTP request smuggling flaw in FortiOS (CVE-2026-21743), and an SSL-VPN information disclosure bug (CVE-2025-55018) that bypasses the patch for the symbolic-link persistence technique attackers used against FortiGates in prior years — and you have a genuinely rough six months.

The context makes it worse: by June, IBM X-Force was reporting broad exploitation campaigns against Fortinet secure access products, and CISA’s Known Exploited Vulnerabilities catalog now tracks 26 Fortinet flaws exploited in real attacks over recent years — 13 of them used by ransomware gangs. Fortinet’s install base is enormous, especially in healthcare, education, and mid-market environments, which makes every one of these advisories a mass-patching event.

The pattern to note: most of Fortinet’s 2026 unauthenticated flaws are in the products around the firewall — the sandbox, the SIEM, the authenticator, the endpoint manager — rather than in shipping FortiGate firmware itself. That’s cold comfort if you run the full Fortinet stack, but it matters for anyone tallying “firewall” vulnerabilities specifically.


Palo Alto Networks: Fewer Flaws, Worse Ones

Palo Alto’s count is lower, but the two headline flaws hit the firewall OS itself, and both were exploited in the wild.

CVE-2026-0300 (CVSS 9.8) is a buffer overflow in the PAN-OS User-ID Authentication Portal that allows an unauthenticated attacker to execute arbitrary code as root on PA-Series and VM-Series firewalls. Palo Alto confirmed “limited exploitation” against firewalls where the portal was left publicly reachable, and CISA added it to the Known Exploited Vulnerabilities catalog with its exploitation-probability score in the 95th percentile.

CVE-2026-0257 is an authentication bypass in the GlobalProtect portal and gateway that lets an unauthenticated attacker establish an unauthorized VPN connection — effectively walking through the front door of the remote-access infrastructure. CISA added it to the KEV catalog on May 29 with an unusually tight federal remediation deadline of June 1, which tells you how seriously the observed exploitation was being taken.

Two exploited, unauthenticated, internet-facing flaws in the core firewall platform in one spring is a bad run by any standard — and it continues a pattern for PAN-OS, which had its own KEV entries in 2024 and 2025. The mitigation posture is familiar: the User-ID portal and GlobalProtect interfaces should never be more exposed than they absolutely need to be.


Laptop displaying cybersecurity text representing firewall vulnerabilities 2026 patch response
Unauthenticated flaws in edge devices turn the security appliance itself into the attack surface.

Cisco: The Zero-Day That Wouldn’t Die

Cisco’s 2026 story is really a continuation of late 2025. The ASA/FTD zero-day chain — CVE-2025-20362 (unauthenticated access to restricted URLs via path traversal) combined with CVE-2025-20333 (CVSS 9.9 remote code execution) — gave the state-sponsored actor behind the ArcaneDoor campaign unauthenticated RCE on ASA and Firepower Threat Defense devices with the WebVPN portal enabled. Government networks were the primary target.

What earns Cisco a place in a 2026 roundup is the April 23 CISA update: the ArcaneDoor actor developed a persistence mechanism that survives upgrading to the fixed software releases. In other words, patching a compromised device isn’t enough — organizations that were exploited before patching may still be compromised after it. That turned a 2025 vulnerability into a 2026 incident-response problem, and it’s arguably the single most alarming firewall development of the year regardless of vendor.


SonicWall: A Quieter Year, With an Asterisk

SonicWall’s 2026 has been comparatively calm. The headline is an April advisory covering three SonicOS flaws — led by CVE-2026-0204 (CVSS 8.0), an access control weakness that can expose management interface functions to an unauthenticated attacker with adjacent network access, affecting Gen 6, Gen 7, and Gen 8 firewalls alike. It was discovered by CrowdStrike researchers rather than found in attacker hands, and no exploitation had been confirmed at disclosure.

The asterisk: SonicWall devices spent much of 2024–2025 as a favorite ransomware target, and threat actor interest in the platform hasn’t gone anywhere. “Adjacent network access” softens CVE-2026-0204 on paper, but any SonicWall admin who lived through the Akira campaigns should treat SonicOS advisories as urgent by default.


Firewall Vulnerabilities 2026: The Scoreboard

VendorUnauthenticated CVEs (Jan–Jun 2026)Worst FlawConfirmed ExploitationProducts Hit
Fortinet8+CVE-2026-39808 / -39813 (9.8, RCE)Yes — multiple, broad campaignsFortiOS, FortiSandbox, FortiSIEM, FortiAuthenticator, FortiClient EMS
Palo Alto2CVE-2026-0300 (9.8, root RCE)Yes — both on CISA KEVPAN-OS (User-ID portal, GlobalProtect)
Cisco2 (carried from 2025)CVE-2025-20333 (9.9, RCE chain)Yes — ArcaneDoor, persistence survives patchingASA, FTD (WebVPN)
SonicWall3CVE-2026-0204 (8.0, mgmt access)Not confirmedSonicOS Gen 6/7/8

Counts reflect vendor advisories and CISA KEV entries through June 2026. Fortinet’s total spans its network security portfolio; the PAN-OS and SonicOS counts are firewall-OS flaws specifically.


What This Actually Means for You

Don’t pick a firewall by CVE count alone

A high disclosure count partly reflects portfolio size, research attention, and how forthcoming a vendor is with advisories. Fortinet ships more distinct products than anyone in this list, and products that get audited produce CVEs. The more useful signals are how often flaws are found by attackers before defenders (bad for Cisco and Palo Alto this cycle) and how quickly and completely the vendor’s fixes actually work (Fortinet’s SSL-VPN patch bypass and Cisco’s upgrade-surviving persistence are both cautionary tales).

Reduce what’s reachable

  • Never expose management interfaces to the internet. Every vendor’s worst 2026 flaw got dramatically less scary when the affected portal wasn’t publicly reachable.
  • Audit your VPN/portal surfaces quarterly. GlobalProtect, WebVPN, and SSL-VPN portals are the front line — if a portal isn’t in use, disable it rather than leaving it listening.
  • Subscribe to your vendor’s PSIRT feed and CISA KEV alerts. The KEV catalog’s remediation deadlines are a good default patch SLA even for organizations that aren’t federally mandated to follow them.
  • Assume compromise for anything that sat unpatched during active exploitation. Cisco’s ArcaneDoor persistence finding is the proof case: patching after the fact does not evict an attacker who arrived before the patch.

For a deeper look at how these three vendors compare on features, pricing, and management, see our Fortinet vs. Cisco vs. Palo Alto firewall comparison. And if 2026 has you rethinking the rest of your infrastructure stack too, our hypervisor comparison guide covers the virtualization layer the same way.


The Bottom Line

Fortinet has had the most unauthenticated vulnerabilities of any firewall vendor in 2026 — eight and counting across its portfolio, with several under active exploitation and a 27-CVE April that security teams will remember for a while. Palo Alto Networks had the most dangerous exploited flaws in the firewall OS itself. Cisco proved that a patched firewall isn’t necessarily a clean one. And SonicWall, for once, mostly stayed out of the headlines.

The uncomfortable truth underneath the scoreboard: the security appliance at your perimeter is one of the most attacked pieces of software you own, at every vendor, every year. Track the advisories from FortiGuard PSIRT and the CISA KEV catalog, patch on the KEV clock, and treat “unauthenticated” plus “internet-facing” as a same-week emergency no matter whose logo is on the box.