Fortinet has announced the resolution of two critical vulnerabilities affecting its FortiSandbox security solution, identified as CVE-2026-39813 and CVE-2026-39808. These vulnerabilities could be exploited by unauthenticated attackers, enabling them to bypass authentication measures and execute unauthorized commands on vulnerable systems.

The vulnerabilities can be triggered through specially crafted HTTP requests, which places unpatched FortiSandbox deployments at significant risk. It is crucial for users to apply the necessary patches to mitigate these threats.

Overview of FortiSandbox

FortiSandbox is designed to detect and analyze advanced threats by executing suspicious files and URLs in a controlled environment. The solution provides verdicts that inform other Fortinet products, such as firewalls and endpoint security clients, enabling them to enforce blocking decisions or initiate alerts and automated responses. FortiSandbox integrates seamlessly with the Fortinet Security Fabric, enhancing overall cybersecurity posture.

Details on the Vulnerabilities

The first vulnerability, CVE-2026-39813, is a path traversal issue within the JRPC API of FortiSandbox. This flaw can allow attackers to bypass authentication on systems running vulnerable versions of FortiSandbox, specifically versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8.

The second vulnerability, CVE-2026-39808, impacts an unspecified API in FortiSandbox versions 4.4.0 through 4.4.8. This vulnerability could facilitate unauthorized code execution due to improper handling of special elements in OS commands.

Both vulnerabilities were responsibly disclosed to Fortinet by researchers. CVE-2026-39813 was reported by a member of Fortinet’s own Product Security Incident Response Team, while CVE-2026-39808 was flagged by a researcher associated with KPMG Spain.

At this time, there is no indication that these vulnerabilities have been exploited in the wild. However, if an attacker were to compromise a FortiSandbox instance, it could lead to the misrepresentation of malicious files as benign to dependent Fortinet products, potentially facilitating lateral movement within enterprise networks.

In addition to addressing these critical vulnerabilities, Fortinet has introduced patches for three additional medium-severity vulnerabilities discovered internally. These include two vulnerabilities (CVE-2025-61886 and CVE-2026-39812) that allow cross-site scripting attacks, and one (CVE-2026-25691) that could enable a privileged attacker with super-admin access to delete arbitrary directories via specially crafted HTTP requests.

Given the nature of these vulnerabilities and their potential impact on security infrastructure, it is essential for organizations utilizing FortiSandbox to update their systems promptly. Failure to do so not only exposes systems to unauthorized access but also undermines the integrity of the cybersecurity measures in place.

Fortinet continues to emphasize the importance of maintaining robust security practices and staying informed about potential vulnerabilities that may affect their solutions.

Source: Help Net Security News