Critical Vulnerabilities Found in FortiSandbox Platform

Fortinet recently identified two significant security vulnerabilities within its FortiSandbox platform, both scoring a critical 9.1 on the CVSSv3 scale. These vulnerabilities pose a significant threat to businesses utilizing FortiSandbox for advanced threat detection, allowing remote attackers to execute commands without authentication.

OS Command Injection Vulnerability

The first security flaw, labeled as CVE-2026-39808, involves improper neutralization of special elements in operating system commands, classified under CWE-78. This vulnerability exists within the FortiSandbox API component and could permit unauthorized code execution via specially crafted HTTP requests.

This issue can be exploited without needing user authentication, representing a low-complexity but high-impact security risk. Successful exploitation may lead to a complete compromise of the sandbox environment, which is designed to safely analyze and contain malware.

Affected systems include FortiSandbox versions 4.4 (4.4.0 to 4.4.8) requiring an upgrade to 4.4.9 or newer. FortiSandbox 5.0 and PaaS 5.0 are not impacted. This vulnerability was responsibly disclosed by Samuel de Lucas Maroto from KPMG Spain, with Fortinet acknowledging his contribution.

Authentication Bypass via Path Traversal

The second vulnerability, tracked as CVE-2026-39813, is a path traversal issue classified under CWE-24. It affects the FortiSandbox JRPC API and enables attackers to bypass authentication through specially crafted HTTP requests, leading to privilege escalation.

Similar to the previous flaw, this issue also has a CVSSv3 score of 9.1, with no authentication required for exploitation. Discovered internally by Loic Pantano of Fortinet PSIRT, this vulnerability affects FortiSandbox versions 5.0 (5.0.0 through 5.0.5) and 4.4 (4.4.0 through 4.4.8), necessitating updates to versions 5.0.6 and 4.4.9, respectively. Versions 5.2 and 4.2 remain unaffected.

Urgent Security Measures

Though no active exploitation has been reported, the critical nature of these vulnerabilities necessitates immediate attention from organizations. Security teams are advised to promptly apply the recommended patches, audit FortiSandbox setups for any weaknesses, and restrict API access to trusted networks as a temporary measure.

With cyber threats continually evolving, staying informed and proactive is essential. Follow our updates on Google News, LinkedIn, and X for the latest in cybersecurity. Contact us for more information or to share your stories.