Critical FortiSandbox Vulnerabilities Expose Systems to Unauthorized Command Execution
Fortinet has recently disclosed two critical vulnerabilities in its FortiSandbox platform, each carrying a CVSSv3 score of 9.1. These flaws could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication mechanisms, posing significant risks to enterprise environments that rely on FortiSandbox for advanced threat detection.
OS Command Injection Vulnerability (CVE-2026-39808)
The first vulnerability, identified as CVE-2026-39808, is classified under CWE-78, indicating an improper neutralization of special elements used in OS commands. This flaw resides in the FortiSandbox API component and enables unauthenticated attackers to execute unauthorized code or commands by sending specially crafted HTTP requests.
The severity of this vulnerability is underscored by its low complexity and high impact. Exploitation could lead to a complete compromise of the sandboxing environment, undermining the system designed to analyze and contain malicious files.
Affected Versions and Remediation:
– FortiSandbox 4.4 (versions 4.4.0 through 4.4.8): Upgrade to 4.4.9 or later.
– FortiSandbox 5.0: Not affected.
– FortiSandbox PaaS 5.0: Not impacted; no action required.
This vulnerability was responsibly disclosed by Samuel de Lucas Maroto from KPMG Spain, and Fortinet has acknowledged his contribution.
Authentication Bypass via Path Traversal (CVE-2026-39813)
The second critical vulnerability, CVE-2026-39813, is a path traversal flaw classified under CWE-24, affecting the FortiSandbox JRPC API. An unauthenticated attacker can exploit this weakness using specially crafted HTTP requests to bypass authentication controls, leading to privilege escalation.
Similar to the first flaw, this vulnerability also carries a CVSSv3 score of 9.1 and requires no user interaction or prior authentication, making it particularly dangerous in exposed deployments. This vulnerability was internally discovered and reported by Loic Pantano of Fortinet PSIRT.
Affected Versions and Remediation:
– FortiSandbox 5.0 (versions 5.0.0 through 5.0.5): Upgrade to 5.0.6 or later.
– FortiSandbox 4.4 (versions 4.4.0 through 4.4.8): Upgrade to 4.4.9 or later.
– FortiSandbox 5.2 and 4.2: Not affected.
Implications and Recommendations
As of the publication date, there have been no reports of these vulnerabilities being exploited in the wild. However, given their critical severity and the fact that they can be exploited without authentication, organizations should treat these disclosures as high-priority.
Security teams are urged to apply the recommended patches immediately. Additionally, it’s advisable to audit FortiSandbox deployments for exposure and restrict API access to trusted networks as a temporary mitigation while updates are being implemented.
These vulnerabilities highlight the importance of regular security assessments and prompt patch management in maintaining the integrity of cybersecurity infrastructures.
