Full Report
No reports of active exploitation (yet) Watch out for more Fortinet vulns! Two critical bugs in Fortinet's sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems.…
Analysis Summary
# Vulnerability: Critical Fortinet FortiSandbox Authentication Bypass and RCE
## CVE Details
- **CVE ID:** CVE-2026-39808 / CVE-2026-39813
- **CVSS Score:** 9.1 (Critical) for both
- **CWE:**
- CVE-2026-39808: CWE-78 (OS Command Injection)
- CVE-2026-39813: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal)
## Affected Systems
- **Products:** Fortinet FortiSandbox
- **Versions:**
- **CVE-2026-39808:** Versions 4.4.0 through 4.4.8
- **CVE-2026-39813:** Versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5
- **Configurations:** Systems accessible via HTTP/HTTPS with JRPC API or web interfaces enabled.
## Vulnerability Description
FortiSandbox is impacted by two critical vulnerabilities that reside in its handling of HTTP requests:
1. **CVE-2026-39808:** An OS command injection vulnerability. Metadata within specially crafted HTTP requests can be manipulated to execute arbitrary system commands on the underlying appliance without prior authentication.
2. **CVE-2026-39813:** A path traversal flaw within the FortiSandbox JRPC (JSON Remote Procedure Call) API. This allows an unauthenticated attacker to bypass authentication mechanisms by navigating the directory structure via malicious HTTP requests, potentially gaining administrative access.
## Exploitation
- **Status:** No reports of active exploitation in the wild yet; however, scanning templates and proof-of-concept (PoC) logic have been made public.
- **Complexity:** Low (Can be automated with scripts).
- **Attack Vector:** Network (Remote/Unauthenticated).
## Impact
- **Confidentiality:** High (Full access to sandbox data and configuration).
- **Integrity:** High (Ability to modify system files and execute unauthorized code).
- **Availability:** High (Potential for complete system takeover or service disruption).
## Remediation
### Patches
Fortinet recommends upgrading to the following versions:
- **For 4.4 branch:** Upgrade to version **4.4.9** or higher.
- **For 5.0 branch:** Upgrade to version **5.0.6** or higher.
### Workarounds
No specific official workarounds (like disabling specific services) were provided in the source; immediate patching is the primary recommendation. Minimizing exposure of the management interface to the public internet is a standard best practice.
## Detection
- **Indicators of Compromise:** Monitor HTTP/HTTPS logs for unusual requests directed at the JRPC API or suspicious OS-level command strings in request parameters.
- **Detection methods and tools:**
- Third-party YAML scanner templates (by researcher Rishi) are available for vulnerability assessment.
- Organizations should audit FortiSandbox system logs for unauthorized administrative login events or unexpected configuration changes.
## References
- FortiGuard Advisory (CVE-2026-39808): hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-100
- FortiGuard Advisory (CVE-2026-39813): hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-112
- Vulnerability Scanner Templates: hxxps[://]github[.]com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39808[.]yaml