🌐 Network

Public Exploit Released for Critical FortiSandbox RCE (CVE-2026-39808, CVSS 9.1) — Unauthenticated Root Access

A public proof-of-concept exploit has been released for CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated attackers to execute arbitrary commands as root via a single HTTP request. A companion authentication bypass flaw (CVE-2026-39813) affects the same versions. Patch to FortiSandbox 4.4.9 or 5.0.6 immediately.

4 min read
#fortinet#fortisandbox#rce#command-injection#authentication-bypass#poc-exploit#unauthenticated#cve-2026-39808#cve-2026-39813

A public proof-of-concept exploit has been released for a critical unauthenticated remote code execution vulnerability in Fortinet FortiSandbox, the sandboxing and advanced threat detection platform used in enterprise security stacks. The PoC, published on GitHub by security researcher Samuel de Lucas, demonstrates that a single crafted HTTP request achieves root-level command execution on unpatched appliances — no credentials, no prior access, no user interaction required.

Fortinet disclosed both CVEs as part of its April 2026 security advisory cycle. The PoC release significantly accelerates the exploitation risk timeline for unpatched deployments.

CVE-2026-39808: Unauthenticated OS Command Injection (CVSS 9.1)

The primary vulnerability resides in FortiSandbox’s job detail endpoint at /fortisandbox/job-detail/tracer-behavior. The endpoint accepts user-supplied input that is passed without sufficient sanitisation into an OS-level command execution context. Because the endpoint does not require authentication, any network-reachable attacker can submit a crafted HTTP request containing injected commands, which execute under the root account — the highest privilege level on the appliance.

The CVSS 9.1 CRITICAL rating reflects the combination of: network-reachable attack vector, no authentication required, no user interaction required, and root-level code execution impact. Fortinet originally discovered and silently patched this vulnerability in November 2025 under advisory FG-IR-26-100, but did not publicly disclose the CVE until the April 2026 coordinated release cycle. The researcher’s publication of the PoC followed shortly after public disclosure.

Affected versions: FortiSandbox 4.4.0 through 4.4.8.

CVE-2026-39813: Authentication Bypass via Path Traversal

The companion vulnerability is a path traversal flaw in FortiSandbox’s JRPC API that allows an unauthenticated attacker to bypass authentication controls. JRPC (JSON Remote Procedure Call) is the API layer through which management operations are performed on the appliance. By traversing the expected API path structure, an attacker can invoke authenticated API functions without presenting valid credentials, potentially gaining administrative access to sandboxing configuration, policy settings, and verdict data.

Affected versions: FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5.

Why FortiSandbox Exposure Matters

FortiSandbox appliances sit at a strategically sensitive position in enterprise security architectures: they inspect files and network traffic referred from other security controls (FortiGate firewalls, FortiMail, FortiWeb) and produce verdicts used to block or allow content. A compromised FortiSandbox can:

  • Issue false-negative verdicts: approve malicious files and URLs that other controls would otherwise block, allowing malware through the security stack on every submission
  • Expose sample data: files submitted for analysis — potentially including sensitive documents, proprietary code, or credentials — are accessible on the appliance filesystem under root
  • Pivot to adjacent Fortinet infrastructure: FortiSandbox maintains authenticated sessions with FortiGate and other Fortinet components; root access on the sandbox may allow lateral movement to firewall management interfaces
  • Disable or manipulate security policy: administrative access to sandboxing policy allows an attacker to reduce the inspection scope, whitelisting malware categories or submission sources

This makes FortiSandbox a high-value target — not because of what it runs, but because of what trust it holds within the broader security fabric.

  • Patch immediately: Upgrade FortiSandbox 4.4.x to 4.4.9 or later; upgrade FortiSandbox 5.0.x to 5.0.6 or later. Both CVEs are fully remediated by these versions.
  • Verify internet exposure: FortiSandbox management and submission interfaces should not be accessible from the internet. Confirm firewall rules restrict access to trusted internal segments only. With a public PoC available, internet-exposed unpatched appliances should be treated as imminently compromised.
  • Check for compromise indicators: Review FortiSandbox system logs for unexpected HTTP requests to /fortisandbox/job-detail/tracer-behavior from external sources or from unexpected internal hosts. Audit JRPC API logs for unauthenticated or anomalous session activity.
  • Audit Fortinet trust relationships: If FortiSandbox has been compromised or is suspected, review all connected FortiGate and Fortinet management planes for signs of lateral movement, particularly unexpected administrative sessions or policy changes.
  • Fortinet Security Fabric customers: If your FortiSandbox is integrated into a Security Fabric, the scope of potential impact is wider — audit all Fabric-connected components for anomalous behaviour following the FortiSandbox patch.

Broader Context

FortiSandbox CVE-2026-39808 follows a pattern of Fortinet security product vulnerabilities drawing rapid PoC development after public disclosure — reflecting both the high value of Fortinet appliances as targets and the security research community’s sustained focus on the platform. Organisations running Fortinet security fabric deployments should treat FortiSandbox patches as equivalent urgency to gateway and firewall patches: a compromised security product provides a more dangerous foothold than a compromised standard server.

Share this article