What is Fortinet FortiSandbox?
FortiSandbox is Fortinet's malware detonation and analysis appliance, deployed to detect zero-day and evasive threats by executing suspicious files in isolated virtual environments before they reach production systems. It integrates with FortiGate firewalls, FortiMail, and other Fortinet security products as part of the broader Fortinet Security Fabric, and typically has privileged network access to ingest samples from across an organization's security stack. Because it sits at a trust boundary — analyzing untrusted, potentially malicious content — a compromise of FortiSandbox itself is a high-value pivot point into the rest of the security infrastructure it's meant to protect.
Overview
CVE-2026-39808 is an OS command injection vulnerability (CWE-78) in a FortiSandbox API endpoint that allows an unauthenticated, network-based attacker to execute arbitrary commands as root with a single crafted HTTP request. Fortinet disclosed and patched it in April 2026 with no known active exploitation at the time, but a public proof-of-concept was released shortly after, and by mid-June 2026 threat intelligence firms observed real-world exploitation attempts against unpatched systems — run together with two other FortiSandbox vulnerabilities patched around the same period, CVE-2026-25089 and CVE-2026-39813.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| FortiSandbox 4.4 | 4.4.0 – 4.4.8 | 4.4.9 and later |
FortiSandbox 5.0 and later branches are not affected by this specific CVE.
Technical Details
The vulnerability exists in a FortiSandbox API endpoint at /fortisandbox/job-detail/tracer-behavior, where the jid GET parameter is passed unsanitized into a system-level shell command. By injecting shell metacharacters (such as a pipe |) into the jid value, an attacker can chain arbitrary additional commands that execute with root privileges. The attack requires no authentication and no user interaction (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical) and can be carried out with a single HTTP request.
Discovery
CVE-2026-39808 was reported to Fortinet under responsible disclosure by Samuel de Lucas Maroto of KPMG Spain.
Exploitation Context
At disclosure in April 2026, Fortinet's advisory noted no known active exploitation. A working proof-of-concept targeting the jid parameter became publicly available on GitHub shortly afterward. Threat intelligence firm Defused confirmed active exploitation attempts matching the public PoC starting mid-June 2026, targeting systems that had not applied the April patch — run in the same wave as attacks against CVE-2026-25089 and CVE-2026-39813, indicating attackers were systematically working through FortiSandbox's recently-disclosed vulnerabilities against organizations slow to patch.
Remediation
- Upgrade to FortiSandbox 4.4.9 or later (or the fixed release for your branch) immediately — a public exploit has been available for months.
- Restrict management interface access: FortiSandbox's web UI and API should not be exposed to the internet; restrict access to trusted management networks only.
- Review logs for exploitation indicators: look for anomalous requests to
/fortisandbox/job-detail/tracer-behaviorcontaining shell metacharacters (|,;,`,$() in thejidparameter, and unexpected root-level process execution on the appliance. - Treat any internet-exposed, unpatched instance as compromised given the availability of public exploit code and confirmed in-the-wild attacks — rotate credentials and inspect for persistence mechanisms.
- Patch alongside related CVE-2026-25089 and CVE-2026-39813, which were exploited in the same campaign against FortiSandbox deployments.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-39808 |
| Vendor / Product | Fortinet — FortiSandbox |
| NVD Published | 2026-04-14 |
| NVD Last Modified | 2026-07-16 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2026-07-16 |
| CISA KEV Deadline | 2026-07-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-04-14 | CVE-2026-39808 disclosed by Fortinet PSIRT (advisory FG-IR-26-100); no known active exploitation at time of disclosure |
| 2026-04 | Public proof-of-concept exploit code released on GitHub |
| 2026-06-14 | Active in-the-wild exploitation observed against unpatched systems, alongside CVE-2026-25089 and CVE-2026-39813 |
| 2026-07-16 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Fortinet PSIRT Advisory FG-IR-26-100 | Vendor Advisory |
| NVD — CVE-2026-39808 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Attackers Exploit Three Fortinet FortiSandbox Vulnerabilities | News |
| Qualys ThreatPROTECT — FortiSandbox Vulnerabilities Exploited by Attackers | Security Research |