Fortinet Reports Critical Unauthenticated Vulnerabilities in FortiSandbox Platform

Fortinet released security advisories for two critical vulnerabilities in its FortiSandbox threat detection platform. The issues affect the API components used for managing and automating sandbox operations. 

Vulnerabilities summary:

• CVE-2026-39808 (CVSS score 9.1) - An OS command injection vulnerability in the FortiSandbox API that occurs when the system fails to neutralize special elements in HTTP requests. Attackers can send crafted requests to run unauthorized code or commands with system privileges, potentially compromising the entire sandbox environment.
• CVE-2026-39813 (CVSS score 9.1) - A path traversal flaw in the FortiSandbox JRPC API that allows unauthenticated attackers to bypass security controls. By using specially crafted HTTP requests to navigate the file system, an attacker can achieve privilege escalation without any user interaction.

The vulnerabilities should not be ignored because they target the security infrastructure meant to analyze malware, so malware will by design be sent there. If an attacker gains control of FortiSandbox, they can bypass threat detection or use the platform as a jumping-off point to reach other parts of the corporate network. Since the attacks are unauthenticated, any instance exposed to the internet or an untrusted internal segment is at high risk. 

The vulnerabilities affect multiple versions of the FortiSandbox: 

• CVE-2026-39808 impacts FortiSandbox versions 4.4.0 through 4.4.8.
• CVE-2026-39813, affects both the 4.4 branch (4.4.0 to 4.4.8) and the 5.0 branch (5.0.0 to 5.0.5). 

FortiSandbox PaaS 5.0 and older versions like 4.2 are not affected by these specific reports.

Administrators should apply the latest firmware updates: On the 4.4 branch should upgrade to version 4.4.9 or higher, and on the 5.0 branch upgrade to version 5.0.6 or later. 

If you can't update, restrict API access to trusted IP addresses and monitor network traffic for unusual HTTP requests.