Full Report
Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber. In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 over the past 24 hours. CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Fortinet FortiSandbox
## CVE Details
- **CVE ID:** CVE-2026-39813, CVE-2026-39808, CVE-2026-25089
- **CVSS Score:**
- CVE-2026-39813: 9.1 (Critical)
- CVE-2026-39808: [Score not specified in snippet]
- CVE-2026-25089: [Score not specified in snippet]
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) for CVE-2026-39813.
## Affected Systems
- **Products:** Fortinet FortiSandbox
- **Versions:** Specific version ranges depend on the CVE; generally affects legacy and current versions prior to the latest security updates.
- **Configurations:** Systems with the JRPC API enabled or exposed are at heightened risk (specifically for CVE-2026-39813).
## Vulnerability Description
CVE-2026-39813 is a high-severity **Path Traversal** vulnerability located within the **JRPC API** of FortiSandbox. Path traversal flaws occur when an application fails to properly sanitize user-supplied input used to construct file paths. In this instance, an attacker can utilize special characters (such as `../`) to escape the intended directory and access, read, or potentially execute sensitive files on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild (Reported by Defused Cyber).
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential access to system configuration files, credentials, and sensitive sandbox data).
- **Integrity:** High (Possible unauthorized modification of system files).
- **Availability:** High (Potential to crash services or delete critical files).
## Remediation
### Patches
*Note: Users should check the Fortinet PSIRT advisory portal for specific version-mapping.*
- Fortinet typically releases firmware updates to address these vulnerabilities. Ensure FortiSandbox is updated to the latest available firmware build.
### Workarounds
- **Network Segmentation:** Restrict access to the FortiSandbox management interface and JRPC API to trusted internal networks only.
- **ACLs:** Implement Access Control Lists (ACLs) to block all external traffic to the API ports (standard ports include 443/TCP or custom JRPC ports).
- **Disable Unused Services:** If the JRPC API is not required for management or integration, disable it.
## Detection
- **Indicators of Compromise:**
- Monitor web server and API logs for unusual path traversal patterns (e.g., `%2e%2e%2f`, `..%2f`, and `../../`).
- Audit JRPC API logs for unsuccessful or unauthorized access attempts from unknown IP addresses.
- **Detection methods and tools:**
- Use FortiAnalyzer or external SIEM solutions to alert on high-frequency API requests.
- Deploy Suricata or Snort signatures designed to detect path traversal attempts against Fortinet products.
## References
- **Vendor Advisories:** hxxps[://]www.fortiguard[.]com/psirt
- **Threat Intel:** hxxps[://]twitter[.]com/defusedcyber (Source of exploitation report)
- **NVD:** hxxps[://]nvd.nist[.]gov/vuln/detail/CVE-2026-39813 (Note: Subject to record availability)