Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands

Home Cyber Security Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands Fortinet has disclosed two critical security vulnerabilities affecting its FortiSandbox platform, both carrying a CVSSv3 score of 9.1. The flaws, published on April 14, 2026, could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication entirely, posing a serious risk to enterprise environments relying on FortiSandbox for advanced threat detection. OS Command Injection Flaw (CVE-2026-39808) The first vulnerability, tracked as CVE-2026-39808, is an Improper Neutralization of Special Elements used in an OS Command, classified under CWE-78. The flaw resides in the FortiSandbox API component and enables an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted HTTP requests. With no authentication required and a network-based attack vector, this vulnerability represents a low-complexity, high-impact threat. Successful exploitation could result in full compromise of the sandboxing environment, undermining the very system designed to analyze and contain malicious files. Affected versions and remediation: FortiSandbox 4.4 (versions 4.4.0 through 4.4.8) — upgrade to 4.4.9 or above FortiSandbox 5.0 — not affected FortiSandbox PaaS 5.0 — not impacted; no action required The vulnerability was responsibly disclosed by Samuel de Lucas Maroto from KPMG Spain, and Fortinet has acknowledged the researcher’s contribution. Authentication Bypass via Path Traversal (CVE-2026-39813) The second critical vulnerability, CVE-2026-39813, is a Path Traversal flaw classified under CWE-24, affecting the FortiSandbox JRPC API. An unauthenticated attacker can exploit this weakness using specially crafted HTTP requests to bypass authentication controls, with the primary impact being escalation of privilege. Like the first flaw, this vulnerability also carries a CVSSv3 score of 9.1 and requires no user interaction or prior authentication, making it equally dangerous in exposed deployments. This vulnerability was internally discovered and reported by Loic Pantano of Fortinet PSIRT. Affected versions and remediation: FortiSandbox 5.0 (versions 5.0.0 through 5.0.5) — upgrade to 5.0.6 or above FortiSandbox 4.4 (versions 4.4.0 through 4.4.8) — upgrade to 4.4.9 or above FortiSandbox 5.2 and 4.2 — not affected Neither vulnerability has been observed as exploited in the wild as of publication, but given their critical severity scores and unauthenticated attack vectors, organizations should treat these disclosures as high-priority. Security teams are urged to apply the recommended patches immediately, audit FortiSandbox deployments for exposure, and restrict API access to trusted networks as a temporary mitigation while updates are being rolled out. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News New Mirax Android RAT Turns Infected Phones Into Residential Proxy Nodes Cyber Security News New PlugX USB Worm Spreads Across Multiple Continents Using DLL Sideloading Cyber Security News Hackers Leave Credential Stuffing Botnet Wide Open With Full Worker Access and Root Passwords Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026