Critical Fortinet sandbox bugs allow auth bypass and RCE • The Register

Fortinet has issued emergency patches for two critical vulnerabilities in its FortiSandbox product that could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems. The security vendor has released fixes for both flaws, which affect multiple versions of FortiSandbox, though there are currently no reports of active exploitation.

Critical Command Injection Vulnerability

The first vulnerability, CVE-2026-39808, is an OS command injection flaw in FortiSandbox that allows unauthenticated attackers to execute unauthorized code or commands via HTTP requests. This critical vulnerability received a CVSS score of 9.1, indicating its severity. The flaw affects FortiSandbox versions 4.4.0 through 4.4.8.

Organizations running vulnerable versions should upgrade to FortiSandbox 4.4.9 or above to patch the vulnerability. The high CVSS score reflects the ease with which attackers could potentially exploit this flaw to gain control over affected systems without any authentication requirements.

Authentication Bypass Path Traversal Bug

The second critical vulnerability, CVE-2026-39813, is a path traversal bug in the FortiSandbox JRPC API that allows an authentication bypass using specially crafted HTTP requests. Like the first flaw, this vulnerability also earned a CVSS score of 9.1 and affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5.

To address this authentication bypass vulnerability, organizations should patch to version 4.4.9 or above, or 5.0.6 or above, depending on which branch they are running. The Fortinet security analyst Loic Pantano discovered this vulnerability.

Immediate Action Required

Given that both vulnerabilities are now public knowledge and can be exploited without authentication, security experts recommend immediate action. A security researcher named Rishi has published scanners for both vulnerabilities (CVE-2026-39808 and CVE-2026-39813), making it easier for both defenders and potential attackers to identify vulnerable systems.

Organizations should use these scanners to check whether they are running any vulnerable instances of FortiSandbox. The scanners can help identify systems that need immediate patching before attackers can exploit the vulnerabilities.

Context of Recent Fortinet Security Issues

These security updates arrive about a week after Fortinet released an emergency patch for CVE-2026-35616, a critical FortiClient Enterprise Management Server (EMS) bug believed to be under active attack since at least March 31. The US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog on April 6 and set a four-day deadline for all federal agencies to apply the patch.

The discovery of these two new critical vulnerabilities in FortiSandbox underscores the ongoing security challenges facing organizations using Fortinet products. Attackers have historically shown a strong interest in exploiting vulnerabilities in Fortinet products, making timely patching essential.

Recommendations for Organizations

Security teams should prioritize these patches as critical updates. The combination of high CVSS scores, the ability to exploit without authentication, and the public availability of vulnerability details creates a situation where attackers are likely to begin exploiting these flaws soon.

Organizations should:

• Immediately scan their infrastructure for vulnerable FortiSandbox versions
• Apply the appropriate patches as soon as possible
• Monitor systems for any signs of attempted exploitation
• Review access logs for suspicious activity
• Consider implementing additional monitoring around FortiSandbox deployments until patches can be applied

The critical nature of these vulnerabilities, combined with their potential for unauthenticated remote code execution and authentication bypass, makes them a top priority for security teams managing Fortinet infrastructure.