Threat actors are actively exploiting multiple critical vulnerabilities affecting Fortinet FortiSandbox. The reported activity involves three unauthenticated vulnerabilities: CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089.
These flaws are high-risk because they can be exploited remotely through crafted HTTP requests and may allow authentication bypass, privilege escalation, or execution of unauthorized commands on vulnerable FortiSandbox systems.
Vulnerability Overview
CVE-2026-39813: FortiSandbox JRPC API Path Traversal
CVE-2026-39813 is a critical path traversal vulnerability in the FortiSandbox JRPC API. Successful exploitation may allow an unauthenticated attacker to bypass authentication by sending specially crafted HTTP requests.
Affected versions include FortiSandbox 5.0.0 through 5.0.5 and FortiSandbox 4.4.0 through 4.4.8.
CVE-2026-39808: FortiSandbox API Command Injection
CVE-2026-39808 is a critical OS command injection vulnerability affecting the FortiSandbox API. An unauthenticated attacker may exploit the flaw using crafted HTTP requests to execute unauthorized code or commands.
Affected versions include FortiSandbox 4.4.0 through 4.4.8.
CVE-2026-25089: FortiSandbox WEB UI Command Injection
CVE-2026-25089 is a critical OS command injection vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. Exploitation may allow an unauthenticated attacker to execute unauthorized commands through specifically crafted HTTP requests.
Affected versions include FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5.
Threat Context
Fortinet appliances are frequently targeted by both financially motivated and state-linked threat actors because they often sit at the edge of enterprise environments and provide valuable access into internal networks.
FortiSandbox is especially sensitive because it is used to analyze suspicious files and URLs and may be integrated with other security controls. A compromised FortiSandbox instance could potentially be abused as a foothold, used to interfere with threat analysis workflows, or leveraged to support further movement within a Fortinet-connected environment.
The highest-risk deployments are internet-exposed FortiSandbox systems, systems accessible from low-trust network segments, and systems integrated with other Fortinet products or internal security tooling.
Recommended Actions
Organizations should take the following actions immediately:
- Patch affected FortiSandbox deployments
- Upgrade FortiSandbox 5.0 to version 5.0.6 or later.
- Upgrade FortiSandbox 4.4 to version 4.4.9 or later.
- Upgrade affected FortiSandbox Cloud and PaaS versions to fixed releases where applicable.
- Restrict network exposure
- Ensure FortiSandbox management and API interfaces are not exposed to the public internet.
- Limit access to trusted administrative networks and VPNs.
- Apply firewall rules to restrict access to FortiSandbox web, API, and management services.
- Review FortiSandbox logs
- Look for unusual HTTP requests targeting API, JRPC, or WEB UI endpoints.
- Investigate authentication anomalies, unexpected administrative activity, and suspicious error patterns.
- Review activity from 14 April 2026 onward for CVE-2026-39813 and CVE-2026-39808 exposure, and from 9 June 2026 onward for CVE-2026-25089 exposure.
- Rotate credentials where compromise is suspected
- Rotate administrative credentials used on FortiSandbox.
- Review API keys, service accounts, and integration credentials.
- Check whether FortiSandbox has access to sensitive internal systems or security platforms.
Stay Safe. Stay Secure
OP Innovate Research Team
