FortiSandbox Auth Bypass and RCE Flaws Score CVSS 9.1

Two critical vulnerabilities in Fortinet's FortiSandbox malware analysis platform allow unauthenticated attackers to bypass authentication and execute arbitrary commands on vulnerable systems. Both flaws carry a CVSS score of 9.1, and Fortinet has released patches addressing the issues.

FortiSandbox serves as a critical security control in many enterprise environments, analyzing suspicious files before they reach endpoints. A compromised sandbox instance could allow attackers to pass malicious files as clean to dependent Fortinet products—or serve as a foothold for lateral movement across the network.

The Vulnerabilities

CVE-2026-39813: Authentication Bypass via Path Traversal

A path traversal vulnerability in the FortiSandbox JRPC API allows unauthenticated attackers to bypass authentication through specially crafted HTTP requests. The flaw affects FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5.

Successful exploitation grants attackers access to the sandbox management interface without credentials, opening the door to configuration manipulation, data exfiltration, or follow-on attacks.

CVE-2026-39808: OS Command Injection

An improper neutralization of OS commands in FortiSandbox allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. This vulnerability affects versions 4.4.0 through 4.4.8.

Combined with the auth bypass, attackers could achieve complete system compromise without any prior access.

Why FortiSandbox Compromise Matters

Malware sandboxes occupy a trusted position in security architectures. When FortiSandbox analyzes a file and declares it safe, downstream security products act on that verdict. An attacker controlling the sandbox could:

• Mark malicious files as benign, allowing them through email gateways and web filters
• Extract sensitive files submitted for analysis
• Use the compromised system as a pivot point into segmented network zones

Fortinet products have faced sustained targeting over the past year. We covered a FortiClient EMS SQL injection flaw last month that reached CISA's Known Exploited Vulnerabilities catalog within weeks of disclosure. Organizations running Fortinet appliances should assume threat actors are watching every advisory.

Affected Versions and Patches

Branch	Affected Versions	Fixed Version
5.0.x	5.0.0 - 5.0.5	5.0.6
4.4.x	4.4.0 - 4.4.8	4.4.9

Additional Fixes

Fortinet's April security advisory also addresses three medium-severity issues:

• CVE-2025-61886 and CVE-2026-39812: Cross-site scripting vulnerabilities in the web interface
• CVE-2026-25691: Arbitrary directory deletion via CLI

Recommended Actions

1. Upgrade immediately to FortiSandbox 4.4.9 or 5.0.6
2. Restrict management access to trusted networks only—do not expose FortiSandbox interfaces to the internet
3. Monitor for anomalies in sandbox verdicts and submitted file volumes
4. Review network segmentation to limit blast radius if a security appliance is compromised

No Exploitation Reported—Yet

Fortinet has not indicated these vulnerabilities are under active exploitation. But Fortinet advisories have a history of attracting rapid attacker attention. The critical FortiGate auth bypass disclosed earlier this year saw exploitation attempts within days.

Organizations should treat this as urgent. Sandboxes see sensitive files from across the enterprise. A compromised sandbox doesn't just let malware through—it gives attackers visibility into what your organization considers suspicious enough to analyze.

For organizations still running older FortiSandbox versions, the security advisory is available through Fortinet's PSIRT portal.