CVE-2026-39808 — Fortinet FortiSandbox OS Command Injection Vulnerability

CVE-2026-39808

Fortinet FortiSandbox — Unauthenticated Root Command Injection via tracer-behavior API

What is Fortinet FortiSandbox?

FortiSandbox is Fortinet's malware detonation and analysis appliance, deployed to detect zero-day and evasive threats by executing suspicious files in isolated virtual environments before they reach production systems. It integrates with FortiGate firewalls, FortiMail, and other Fortinet security products as part of the broader Fortinet Security Fabric, and typically has privileged network access to ingest samples from across an organization's security stack. Because it sits at a trust boundary — analyzing untrusted, potentially malicious content — a compromise of FortiSandbox itself is a high-value pivot point into the rest of the security infrastructure it's meant to protect.

Overview

CVE-2026-39808 is an OS command injection vulnerability (CWE-78) in a FortiSandbox API endpoint that allows an unauthenticated, network-based attacker to execute arbitrary commands as root with a single crafted HTTP request. Fortinet disclosed and patched it in April 2026 with no known active exploitation at the time, but a public proof-of-concept was released shortly after, and by mid-June 2026 threat intelligence firms observed real-world exploitation attempts against unpatched systems — run together with two other FortiSandbox vulnerabilities patched around the same period, CVE-2026-25089 and CVE-2026-39813.

Affected Versions

Product Vulnerable Fixed
FortiSandbox 4.4 4.4.0 – 4.4.8 4.4.9 and later

FortiSandbox 5.0 and later branches are not affected by this specific CVE.

Technical Details

The vulnerability exists in a FortiSandbox API endpoint at /fortisandbox/job-detail/tracer-behavior, where the jid GET parameter is passed unsanitized into a system-level shell command. By injecting shell metacharacters (such as a pipe |) into the jid value, an attacker can chain arbitrary additional commands that execute with root privileges. The attack requires no authentication and no user interaction (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical) and can be carried out with a single HTTP request.

Discovery

CVE-2026-39808 was reported to Fortinet under responsible disclosure by Samuel de Lucas Maroto of KPMG Spain.

Exploitation Context

At disclosure in April 2026, Fortinet's advisory noted no known active exploitation. A working proof-of-concept targeting the jid parameter became publicly available on GitHub shortly afterward. Threat intelligence firm Defused confirmed active exploitation attempts matching the public PoC starting mid-June 2026, targeting systems that had not applied the April patch — run in the same wave as attacks against CVE-2026-25089 and CVE-2026-39813, indicating attackers were systematically working through FortiSandbox's recently-disclosed vulnerabilities against organizations slow to patch.

Remediation

  1. Upgrade to FortiSandbox 4.4.9 or later (or the fixed release for your branch) immediately — a public exploit has been available for months.
  2. Restrict management interface access: FortiSandbox's web UI and API should not be exposed to the internet; restrict access to trusted management networks only.
  3. Review logs for exploitation indicators: look for anomalous requests to /fortisandbox/job-detail/tracer-behavior containing shell metacharacters (|, ;, `, $() in the jid parameter, and unexpected root-level process execution on the appliance.
  4. Treat any internet-exposed, unpatched instance as compromised given the availability of public exploit code and confirmed in-the-wild attacks — rotate credentials and inspect for persistence mechanisms.
  5. Patch alongside related CVE-2026-25089 and CVE-2026-39813, which were exploited in the same campaign against FortiSandbox deployments.

Key Details

PropertyValue
CVE ID CVE-2026-39808
Vendor / Product Fortinet — FortiSandbox
NVD Published2026-04-14
NVD Last Modified2026-07-16
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2026-07-16
CISA KEV Deadline2026-07-19
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-19. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-04-14CVE-2026-39808 disclosed by Fortinet PSIRT (advisory FG-IR-26-100); no known active exploitation at time of disclosure
2026-04Public proof-of-concept exploit code released on GitHub
2026-06-14Active in-the-wild exploitation observed against unpatched systems, alongside CVE-2026-25089 and CVE-2026-39813
2026-07-16Added to CISA Known Exploited Vulnerabilities catalog
2026-07-19CISA BOD 22-01 remediation deadline