Patch these critical Fortinet sandbox bugs that let attackers bypass login, run commands over HTTP
Summary
Two critical, unauthenticated vulnerabilities have been disclosed in Fortinet FortiSandbox that could allow attackers to bypass authentication or execute operating-system commands via HTTP requests. Fortinet has released fixes; administrators should apply the updates immediately. There are no confirmed reports of active exploitation yet, but public details make rapid abuse likely.
Key Points
- CVE-2026-39808: OS command injection in FortiSandbox versions 4.4.0–4.4.8. CVSS 9.1. Patch by upgrading to FortiSandbox 4.4.9 or later.
- CVE-2026-39813: Path traversal in the FortiSandbox JRPC API enabling authentication bypass. Affects 4.4.0–4.4.8 and 5.0.0–5.0.5. CVSS 9.1. Patch to 4.4.9+ or 5.0.6+ as appropriate for your branch.
- Both flaws are exploitable without authentication and have been publicly disclosed.
- Researcher Rishi published detection templates/scanners on GitHub to check for vulnerable instances.
- No active exploitation reported so far, but recent history (including an exploited FortiClient EMS bug added to CISA’s KEV list) suggests urgent patching is prudent.
Context and Relevance
Fortinet appliances are common in enterprise environments; high-severity, unauthenticated vulnerabilities in FortiSandbox can lead to unauthorised access, remote code execution and further network compromise. Given attackers’ history of targeting Fortinet products, publicly available exploit details and scanners increase the risk profile for exposed devices. Patching and scanning internet-exposed instances should be treated as a priority.
Author style
Punchy: this is an urgent, actionable security alert — if you run FortiSandbox, upgrading is essential. Check the advisories and version-specific notes for mitigation steps.
Why should I read this?
Short and blunt: these bugs let strangers either bypass login or run commands on your sandbox over HTTP. If any FortiSandbox instances are reachable, they could be compromised quickly. We’ve done the slog — read this so you know to patch now.