Fortinet has identified a significant security flaw in its FortiSandbox product, designated as CVE-2026-59835. This vulnerability allows unauthenticated attackers to access the Virtual Network Computing (VNC) server of virtual machines (VMs) used for malware analysis, potentially leading to unauthorized information disclosure.
FortiSandbox is a security solution that utilizes isolated VMs to safely execute and analyze suspicious files, aiding in the detection of malware. The identified flaw, classified under CWE-668 as an ‘Exposure of Resource to Wrong Sphere,’ has been assigned a CVSSv3 score of 7.7, indicating a high severity level. Exploitation of this vulnerability requires no authentication, enabling attackers to send specially crafted network requests to gain access to the VNC server associated with the scanning VMs.
Such unauthorized access could compromise the integrity of the malware analysis process, allowing attackers to observe or interact with the sandboxed environments. This exposure not only undermines the effectiveness of the security solution but also risks the leakage of sensitive data processed during the analysis.
Affected Versions and Remediation
The vulnerability affects specific versions of FortiSandbox:
- Version 5.0: Builds 5.0.0 through 5.0.2
- Version 4.4: Builds 4.4.3 through 4.4.8
Users operating these versions are advised to upgrade to the following patched versions:
- For Version 5.0: Upgrade to 5.0.3 or later
- For Version 4.4: Upgrade to 4.4.9 or later
Notably, FortiSandbox Platform-as-a-Service (PaaS) deployments are not impacted by this vulnerability. However, organizations utilizing on-premises appliances, particularly the FSA-500G and FSA-1500G models, should prioritize applying these updates to mitigate potential risks.
Fortinet has acknowledged the INPS security team for responsibly reporting this issue, which was disclosed under advisory FG-IR-26-145 on July 14, 2026. As of this disclosure, there have been no reports of the vulnerability being exploited in the wild.
This recent discovery adds to a series of security challenges Fortinet has addressed in FortiSandbox this year. Previous vulnerabilities include a critical OS command injection flaw (CVE-2026-25089) with a CVSS score of 9.1, and a missing authorization issue in the product’s web interface, both of which allowed unauthenticated remote attackers to compromise the system.
Given the critical role FortiSandbox plays in malware detection and analysis, it is imperative for organizations to promptly apply the recommended patches. Failure to do so could leave systems vulnerable to unauthorized access and potential data breaches, undermining the overall security posture of the organization.