Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Vulnerabilities Found in FortiSandbox Platform

Critical Vulnerabilities Found in FortiSandbox Platform

Posted on April 15, 2026 By CWS

Fortinet recently identified two significant security vulnerabilities within its FortiSandbox platform, both scoring a critical 9.1 on the CVSSv3 scale. These vulnerabilities pose a significant threat to businesses utilizing FortiSandbox for advanced threat detection, allowing remote attackers to execute commands without authentication.

OS Command Injection Vulnerability

The first security flaw, labeled as CVE-2026-39808, involves improper neutralization of special elements in operating system commands, classified under CWE-78. This vulnerability exists within the FortiSandbox API component and could permit unauthorized code execution via specially crafted HTTP requests.

This issue can be exploited without needing user authentication, representing a low-complexity but high-impact security risk. Successful exploitation may lead to a complete compromise of the sandbox environment, which is designed to safely analyze and contain malware.

Affected systems include FortiSandbox versions 4.4 (4.4.0 to 4.4.8) requiring an upgrade to 4.4.9 or newer. FortiSandbox 5.0 and PaaS 5.0 are not impacted. This vulnerability was responsibly disclosed by Samuel de Lucas Maroto from KPMG Spain, with Fortinet acknowledging his contribution.

Authentication Bypass via Path Traversal

The second vulnerability, tracked as CVE-2026-39813, is a path traversal issue classified under CWE-24. It affects the FortiSandbox JRPC API and enables attackers to bypass authentication through specially crafted HTTP requests, leading to privilege escalation.

Similar to the previous flaw, this issue also has a CVSSv3 score of 9.1, with no authentication required for exploitation. Discovered internally by Loic Pantano of Fortinet PSIRT, this vulnerability affects FortiSandbox versions 5.0 (5.0.0 through 5.0.5) and 4.4 (4.4.0 through 4.4.8), necessitating updates to versions 5.0.6 and 4.4.9, respectively. Versions 5.2 and 4.2 remain unaffected.

Urgent Security Measures

Though no active exploitation has been reported, the critical nature of these vulnerabilities necessitates immediate attention from organizations. Security teams are advised to promptly apply the recommended patches, audit FortiSandbox setups for any weaknesses, and restrict API access to trusted networks as a temporary measure.

With cyber threats continually evolving, staying informed and proactive is essential. Follow our updates on Google News, LinkedIn, and X for the latest in cybersecurity. Contact us for more information or to share your stories.

Cyber Security News Tags:API security, CVSSv3, Cybersecurity, enterprise security, Fortinet, FortiSandbox, OS command injection, path traversal, security patches, Vulnerabilities

Post navigation

Previous Post: Critical Flaws in Synology VPN Client Demand Urgent Action
Next Post: Critical SharePoint Vulnerability Actively Exploited

Related Posts

Malicious npm Package Exploits Hugging Face for Cyber Attacks Malicious npm Package Exploits Hugging Face for Cyber Attacks Cyber Security News
15 Best Incident Response Tools 2025 15 Best Incident Response Tools 2025 Cyber Security News
Malvertising Campaign Exploits ChatGPT for Malware Delivery Malvertising Campaign Exploits ChatGPT for Malware Delivery Cyber Security News
Sendmarc Appoints Dan Levinson as Customer Success Director in North America Sendmarc Appoints Dan Levinson as Customer Success Director in North America Cyber Security News
Adversarial Machine Learning – Securing AI Models Adversarial Machine Learning – Securing AI Models Cyber Security News
Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Fixes 570 Vulnerabilities in Major Update
  • Synopsys Denies Data Breach Amid Bosch Hack Allegations
  • Exploit in Microsoft Entra Allows Credential Validation
  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Fixes 570 Vulnerabilities in Major Update
  • Synopsys Denies Data Breach Amid Bosch Hack Allegations
  • Exploit in Microsoft Entra Allows Credential Validation
  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark