Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands - CyberSecurityNews

HomeCyber Security Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands By Guru Baran April 14, 2026 Fortinet has disclosed two critical security vulnerabilities affecting its FortiSandbox platform, both carrying a CVSSv3 score of 9.1. The flaws, published on April 14, 2026, could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication entirely, posing a serious risk to enterprise environments relying on FortiSandbox for advanced threat detection. OS Command Injection Flaw (CVE-2026-39808) The first vulnerability, tracked as CVE-2026-39808, is an Improper Neutralization of Special Elements used in an OS Command, classified under CWE-78. The flaw resides in the FortiSandbox API component and enables an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted HTTP requests. With no authentication required and a network-based attack vector, this vulnerability represents a low-complexity, high-impact threat. Successful exploitation could result in full compromise of the sandboxing environment, undermining the very system designed to analyze and contain malicious files. Affected versions and remediation: FortiSandbox 4.4 (versions 4.4.0 through 4.4.8) — upgrade to 4.4.9 or above FortiSandbox 5.0 — not affected FortiSandbox PaaS 5.0 — not impacted; no action required The vulnerability was responsibly disclosed by Samuel de Lucas Maroto from KPMG Spain, and Fortinet has acknowledged the researcher’s contribution. Authentication Bypass via Path Traversal (CVE-2026-39813) The second critical vulnerability, CVE-2026-39813, is a Path Traversal flaw classified under CWE-24, affecting the FortiSandbox JRPC API. An unauthenticated attacker can exploit this weakness using specially crafted HTTP requests to bypass authentication controls, with the primary impact being escalation of privilege. Like the first flaw, this vulnerability also carries a CVSSv3 score of 9.1 and requires no user interaction or prior authentication, making it equally dangerous in exposed deployments. This vulnerability was internally discovered and reported by Loic Pantano of Fortinet PSIRT. Affected versions and remediation: FortiSandbox 5.0 (versions 5.0.0 through 5.0.5) — upgrade to 5.0.6 or above FortiSandbox 4.4 (versions 4.4.0 through 4.4.8) — upgrade to 4.4.9 or above FortiSandbox 5.2 and 4.2 — not affected Neither vulnerability has been observed as exploited in the wild as of publication, but given their critical severity scores and unauthenticated attack vectors, organizations should treat these disclosures as high-priority. Security teams are urged to apply the recommended patches immediately, audit FortiSandbox deployments for exposure, and restrict API access to trusted networks as a temporary mitigation while updates are being rolled out. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules Škoda Security Incident Exposes Customers Data From Online Shop Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access Email Bombing and Fake IT Support Calls Fuel New Microsoft Teams Phishing Attacks Trellix Breach – RansomHouse Claims Access to Parts of Source Code Latest News Cyber Security News TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules Cyber Security News NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users Cyber Security Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident Cyber Security Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Cyber Security News New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials