Ddos 
Fortinet has issued an urgent advisory regarding two critical vulnerabilities in its FortiSandbox platformβvulnerabilities that could allow unauthenticated attackers to bypass security entirely and seize control of the system.
Both flaws carry a CVSS score of 9.1, signaling a “patch now” priority for organizations relying on Fortinetβs sandbox technology to defend their perimeters.
The first vulnerability strikes at the core of the platform’s API management. Tracked as CVE-2026-39813, this “Path Traversal” flaw (CWE-24) resides within the FortiSandbox JRPC API.
This isn’t just a minor oversight; it is a fundamental breakdown of access control. According to the advisory, the vulnerability “may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests”. By manipulating path variables, a remote intruder can walk through the front door of the API without a single credential, potentially escalating their privileges to full administrative control.
The second flaw, tracked as CVE-2026-39808, is a critical “OS Command Injection” vulnerability (CWE-78) triggered through a specific API endpoint.
An “unauthenticated attacker can execute unauthorized code or commands via crafted HTTP requests”. In a sandbox environmentβdesigned specifically to analyze and contain malicious codeβthis vulnerability creates a dangerous paradox where the platform itself becomes the staging ground for a broader network attack.
The scope of these vulnerabilities varies across FortiSandbox release branches. Notably, while the authentication bypass affects both the 4.4 and 5.0 series, the command injection flaw is restricted to the 4.4 branch.
| Affected Version | CVE-2026-39813 (Auth Bypass) | CVE-2026-39808 (Cmd Injection) | Required Upgrade |
| FortiSandbox 5.2 | Not Affected | Not Affected | N/A |
| FortiSandbox 5.0 | Affected (5.0.0 – 5.0.5) | Not Affected | Upgrade to 5.0.6 or above |
| FortiSandbox 4.4 | Affected (4.4.0 – 4.4.8) | Affected (4.4.0 – 4.4.8) | Upgrade to 4.4.9 or above |
| FortiSandbox 4.2 | Not Affected | Not Affected | N/A |
FortiSandbox PaaS 5.0 is confirmed to be unaffected by the command injection issue, and no action is required for customers on that specific platform.
Administrators are urged to audit their FortiSandbox deployments immediately and apply the necessary firmware upgrades to version 5.0.6 or 4.4.9 to close these critical windows of opportunity.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
