Full Report
All have patches, so make sure you upgrade to a fixed version
Analysis Summary
# Vulnerability: Critical FortiSandbox RCE and Authentication Bypass Flaws
## CVE Details
- **CVE ID:** CVE-2026-39813, CVE-2026-39808, CVE-2026-25089
- **CVSS Score:** 9.1 (Critical) for all three
- **CWE:** Path Traversal (CWE-22) and OS Command Injection (CWE-78)
## Affected Systems
- **Products:** FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS
- **Versions:**
- **FortiSandbox:** 4.4.0 through 4.4.8; 5.0.0 through 5.0.5
- **FortiSandbox Cloud:** 5.0.4 through 5.0.5
- **FortiSandbox PaaS:** 5.0.4 through 5.0.5
- **Configurations:** Systems with JRPC API or Web UI exposed to HTTP requests.
## Vulnerability Description
Three distinct critical vulnerabilities have been identified within the FortiSandbox ecosystem:
1. **CVE-2026-39813:** A path traversal flaw in the JRPC API. By sending specially crafted HTTP requests, an attacker can bypass authentication mechanisms.
2. **CVE-2026-39808:** An OS command injection vulnerability. This allows an unauthenticated attacker to execute arbitrary code or system-level commands via malicious HTTP requests.
3. **CVE-2026-25089:** A secondary OS command injection vulnerability specifically affecting the Web UI of FortiSandbox, Cloud, and PaaS variants, allowing unauthenticated command execution.
## Exploitation
- **Status:** Under active exploitation in the wild (Reported June 2026).
- **Complexity:** Low/Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to sandbox data and potentially lateral movement)
- **Integrity:** High (Attacker can execute unauthorized commands and modify system state)
- **Availability:** High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
- **FortiSandbox 4.4 Branch:** Upgrade to version **4.4.9** or higher.
- **FortiSandbox 5.0 Branch:** Upgrade to version **5.0.6** or higher.
- **Cloud/PaaS Versions:** Ensure instances are updated to the latest available patched version provided by the vendor.
### Workarounds
- No specific workarounds were provided in the report; immediate patching is the recommended primary defense.
- General mitigation involves restricting access to the JRPC API and Web UI to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for unusual HTTP requests targeting the JRPC API or Web UI endpoints. Look for unexpected outgoing traffic from the FortiSandbox appliance.
- **Detection methods and tools:** Review system logs for unauthorized access attempts or suspicious command execution signatures.
## References
- **Vendor Advisories:**
- hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-112
- hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-100
- hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-141
- **Threat Intelligence:** Defused (Security Intelligence Firm) report, June 2026.