Fortinet has announced the resolution of two critical vulnerabilities identified in its FortiSandbox product, which could potentially allow unauthenticated attackers to bypass authentication protocols and execute unauthorized code or commands on vulnerable systems. The vulnerabilities, tracked as CVE-2026-39813 and CVE-2026-39808, can be exploited through specially crafted HTTP requests, thereby putting unpatched FortiSandbox deployments at considerable risk.

Overview of FortiSandbox

FortiSandbox serves as Fortinet’s advanced security solution designed for the detection and analysis of sophisticated threats. The system operates by executing suspicious files and URLs within a controlled environment, subsequently providing verdicts on their safety. Other Fortinet products such as firewalls, email security devices, endpoint security clients, SIEMs, and SOARs rely on these verdicts to enforce blocking actions and trigger alerts as well as automated responses. FortiSandbox integrates seamlessly with these solutions via the Fortinet Security Fabric.

Details of the Vulnerabilities

The first vulnerability, CVE-2026-39813, is categorized as a path traversal vulnerability affecting FortiSandbox’s JRPC API. It is present in systems running FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. This flaw could enable attackers to bypass authentication, compromising the security of the affected systems.

The second vulnerability, CVE-2026-39808, impacts an unspecified API within FortiSandbox versions 4.4.0 through 4.4.8. This vulnerability allows for unauthorized code and command execution due to improper handling of special elements utilized in OS command executions.

Both vulnerabilities were disclosed to Fortinet by security researchers. CVE-2026-39813 was reported by a member of Fortinet’s internal PSIRT team, while CVE-2026-39808 was flagged by a researcher from KPMG Spain. As of now, there is no evidence suggesting that these vulnerabilities have been actively exploited by malicious actors. However, should a FortiSandbox instance be compromised, it could mislead dependent Fortinet products into treating malicious files as legitimate, thereby facilitating lateral movement within enterprise networks.

Additional Security Updates

In conjunction with addressing the critical vulnerabilities, Fortinet has also implemented fixes for three medium-severity vulnerabilities found in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Two of these vulnerabilities, identified as CVE-2025-61886 and CVE-2026-39812, could enable cross-site scripting (XSS) attacks. The third vulnerability, designated as CVE-2026-25691, may allow a privileged attacker with a super-admin profile and CLI access to delete arbitrary directories through crafted HTTP requests.

Fortinet urges all users to promptly apply the necessary updates to safeguard their systems against these vulnerabilities and maintain the integrity of their security infrastructure. As cyber threats continue to evolve, it is essential for organizations to stay vigilant and ensure that their security solutions are up to date.

For those interested in staying informed about the latest breaches, vulnerabilities, and cybersecurity threats, subscribing to breaking news alerts is highly recommended.

Source: Help Net Security News