Fortinet FortiSandbox Vulnerability Exploited by Attackers (CVE-2026-39808, CVE-2026-25089, & CVE-2026-39813)

Posted by Author Diksha Ojha on Posted on

Threat actors are exploiting three security vulnerabilities in Fortinet FortiSandbox, tracked as CVE-2026-39808, CVE-2026-25089, & CVE-2026-39813. Successful exploitation of the vulnerabilities could lead to OS command injection, authentication bypass, and privilege escalation.

Fortinet FortiSandbox is an advanced threat detection and analysis solution designed to identify and mitigate zero-day malware, ransomware, and targeted cyberattacks. It uses isolated, controlled environments (sandboxes) to safely execute and analyze suspicious files or URLs to see if they are malicious before they can compromise your network.

CVE-2026-39808: Fortinet FortiSandbox OS Command Injection Vulnerability

The vulnerability has a critical severity rating with a CVSS score of 9.1. An improper neutralization of Special Elements used in an OS Command vulnerability in FortiSandbox. Successful exploitation of the vulnerability could allow an unauthenticated attacker to execute unauthenticated code or commands via crafted HTTP requests.

CVE-2026-25089: Fortinet FortiSandbox OS Command Injection Vulnerability

The vulnerability has a critical severity rating with a CVSS score of 9.1. An improper neutralization of special elements used in an OS command vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.

CVE-2026-39813: Fortinet FortiSandbox Path Traversal Vulnerability

The vulnerability has a critical severity rating with a CVSS score of 9.1. A Path Traversal vulnerability in FortiSandbox JRPC API. Successful exploitation of the vulnerability could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.

Affected Versions

CVE-2026-39813:
  • FortiSandbox 5.0.0 through 5.0.5
  • FortiSandbox 4.4.0 through 4.4.8
CVE-2026-25089:
  • FortiSandbox 4.4.0 through 4.4.8
CVE-2026-25089:
  • FortiSandbox 4.4.0-4.4.8

Mitigation

CVE-2026-39813:
  • FortiSandbox 5.0.6
  • FortiSandbox 4.4.9
CVE-2026-25089:
  • FortiSandbox 4.4.9
CVE-2026-25089:
  • FortiSandbox 4.4.0-4.4.8

Qualys Detection

Qualys customers can scan their devices with QIDs 733996, 734396, 733994, and 734082 to detect vulnerable assets.

QID 734082 is for customers with access to the Enterprise TruRisk Management.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.fortiguard.com/psirt/FG-IR-26-100
https://fortiguard.fortinet.com/psirt/FG-IR-26-112
https://fortiguard.fortinet.com/psirt/FG-IR-26-141

Author: Diksha Ojha

Senior Technical Writer

Leave a Reply

Your email address will not be published. Required fields are marked *